Malware Analysis Report

2025-08-10 20:09

Sample ID 250518-nwmdma1pv4
Target 2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock
SHA256 083b85ac923fbb8dac3a91c9772762bc5b6c891a18f5cc684652c26fcac60b2f
Tags
defense_evasion discovery persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

083b85ac923fbb8dac3a91c9772762bc5b6c891a18f5cc684652c26fcac60b2f

Threat Level: Known bad

The file 2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery persistence ransomware spyware stealer trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Modifies WinLogon for persistence

Renames multiple (82) files with added filename extension

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Uses Volume Shadow Copy service COM API

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-18 11:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-18 11:44

Reported

2025-05-18 11:47

Platform

win10v2004-20250502-en

Max time kernel

12s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\fqUAcgUk\\IqAYYkcg.exe," C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\fqUAcgUk\\IqAYYkcg.exe," C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (82) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IqAYYkcg.exe = "C:\\ProgramData\\fqUAcgUk\\IqAYYkcg.exe" C:\ProgramData\fqUAcgUk\IqAYYkcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IqAYYkcg.exe = "C:\\ProgramData\\fqUAcgUk\\IqAYYkcg.exe" C:\ProgramData\WOcsMYoM\sUIgwQws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IqAYYkcg.exe = "C:\\ProgramData\\fqUAcgUk\\IqAYYkcg.exe" C:\ProgramData\fqUAcgUk\IqAYYkcg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AUQMgoUM.exe = "C:\\Users\\Admin\\TAsUckog\\AUQMgoUM.exe" C:\Users\Admin\TAsUckog\AUQMgoUM.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AUQMgoUM.exe = "C:\\Users\\Admin\\TAsUckog\\AUQMgoUM.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IqAYYkcg.exe = "C:\\ProgramData\\fqUAcgUk\\IqAYYkcg.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AUQMgoUM.exe = "C:\\Users\\Admin\\TAsUckog\\AUQMgoUM.exe" C:\Users\Admin\TAsUckog\AUQMgoUM.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\TAsUckog C:\ProgramData\WOcsMYoM\sUIgwQws.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\TAsUckog\AUQMgoUM C:\ProgramData\WOcsMYoM\sUIgwQws.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\fqUAcgUk\IqAYYkcg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\TAsUckog\AUQMgoUM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\WOcsMYoM\sUIgwQws.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\TAsUckog\AUQMgoUM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\fqUAcgUk\IqAYYkcg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2644 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe
PID 2644 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe
PID 2644 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe
PID 2644 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\TAsUckog\AUQMgoUM.exe
PID 2644 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\TAsUckog\AUQMgoUM.exe
PID 2644 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\TAsUckog\AUQMgoUM.exe
PID 2644 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\ProgramData\fqUAcgUk\IqAYYkcg.exe
PID 2644 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\ProgramData\fqUAcgUk\IqAYYkcg.exe
PID 2644 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\ProgramData\fqUAcgUk\IqAYYkcg.exe
PID 4100 wrote to memory of 4916 N/A C:\Users\Admin\TAsUckog\AUQMgoUM.exe C:\Users\Admin\TAsUckog\AUQMgoUM.exe
PID 4100 wrote to memory of 4916 N/A C:\Users\Admin\TAsUckog\AUQMgoUM.exe C:\Users\Admin\TAsUckog\AUQMgoUM.exe
PID 4100 wrote to memory of 4916 N/A C:\Users\Admin\TAsUckog\AUQMgoUM.exe C:\Users\Admin\TAsUckog\AUQMgoUM.exe
PID 3392 wrote to memory of 4764 N/A C:\ProgramData\WOcsMYoM\sUIgwQws.exe C:\ProgramData\WOcsMYoM\sUIgwQws.exe
PID 3392 wrote to memory of 4764 N/A C:\ProgramData\WOcsMYoM\sUIgwQws.exe C:\ProgramData\WOcsMYoM\sUIgwQws.exe
PID 3392 wrote to memory of 4764 N/A C:\ProgramData\WOcsMYoM\sUIgwQws.exe C:\ProgramData\WOcsMYoM\sUIgwQws.exe
PID 3540 wrote to memory of 2772 N/A C:\ProgramData\fqUAcgUk\IqAYYkcg.exe C:\ProgramData\fqUAcgUk\IqAYYkcg.exe
PID 3540 wrote to memory of 2772 N/A C:\ProgramData\fqUAcgUk\IqAYYkcg.exe C:\ProgramData\fqUAcgUk\IqAYYkcg.exe
PID 3540 wrote to memory of 2772 N/A C:\ProgramData\fqUAcgUk\IqAYYkcg.exe C:\ProgramData\fqUAcgUk\IqAYYkcg.exe
PID 3720 wrote to memory of 3524 N/A C:\Windows\system32\cmd.exe C:\ProgramData\fqUAcgUk\IqAYYkcg.exe
PID 3720 wrote to memory of 3524 N/A C:\Windows\system32\cmd.exe C:\ProgramData\fqUAcgUk\IqAYYkcg.exe
PID 3720 wrote to memory of 3524 N/A C:\Windows\system32\cmd.exe C:\ProgramData\fqUAcgUk\IqAYYkcg.exe
PID 1552 wrote to memory of 4184 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\TAsUckog\AUQMgoUM.exe
PID 1552 wrote to memory of 4184 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\TAsUckog\AUQMgoUM.exe
PID 1552 wrote to memory of 4184 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\TAsUckog\AUQMgoUM.exe
PID 3524 wrote to memory of 4580 N/A C:\ProgramData\fqUAcgUk\IqAYYkcg.exe C:\ProgramData\fqUAcgUk\IqAYYkcg.exe
PID 3524 wrote to memory of 4580 N/A C:\ProgramData\fqUAcgUk\IqAYYkcg.exe C:\ProgramData\fqUAcgUk\IqAYYkcg.exe
PID 3524 wrote to memory of 4580 N/A C:\ProgramData\fqUAcgUk\IqAYYkcg.exe C:\ProgramData\fqUAcgUk\IqAYYkcg.exe
PID 2644 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4184 wrote to memory of 4352 N/A C:\Users\Admin\TAsUckog\AUQMgoUM.exe C:\Users\Admin\TAsUckog\AUQMgoUM.exe
PID 4184 wrote to memory of 4352 N/A C:\Users\Admin\TAsUckog\AUQMgoUM.exe C:\Users\Admin\TAsUckog\AUQMgoUM.exe
PID 4184 wrote to memory of 4352 N/A C:\Users\Admin\TAsUckog\AUQMgoUM.exe C:\Users\Admin\TAsUckog\AUQMgoUM.exe
PID 2644 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1520 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe
PID 1520 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe
PID 1520 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Users\Admin\TAsUckog\AUQMgoUM.exe

"C:\Users\Admin\TAsUckog\AUQMgoUM.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\TAsUckog\AUQMgoUM.exe

C:\ProgramData\fqUAcgUk\IqAYYkcg.exe

"C:\ProgramData\fqUAcgUk\IqAYYkcg.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\fqUAcgUk\IqAYYkcg.exe

C:\ProgramData\WOcsMYoM\sUIgwQws.exe

C:\ProgramData\WOcsMYoM\sUIgwQws.exe

C:\Users\Admin\TAsUckog\AUQMgoUM.exe

NEPS

C:\ProgramData\WOcsMYoM\sUIgwQws.exe

KSJC

C:\ProgramData\fqUAcgUk\IqAYYkcg.exe

PSWY

C:\ProgramData\fqUAcgUk\IqAYYkcg.exe

C:\ProgramData\fqUAcgUk\IqAYYkcg.exe

C:\Users\Admin\TAsUckog\AUQMgoUM.exe

C:\Users\Admin\TAsUckog\AUQMgoUM.exe

C:\ProgramData\fqUAcgUk\IqAYYkcg.exe

PSWY

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Users\Admin\TAsUckog\AUQMgoUM.exe

NEPS

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
US 8.8.8.8:53 api.bitcoincharts.com udp
DE 144.76.195.253:443 api.bitcoincharts.com tcp
DE 144.76.195.253:443 api.bitcoincharts.com tcp
DE 144.76.195.253:443 api.bitcoincharts.com tcp
US 8.8.8.8:53 maps.google.com udp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp

Files

memory/2644-0-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/3320-1-0x0000000000400000-0x00000000004BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlockOHBL

MD5 9134669f44c1af0532f613b7508283c4
SHA1 1c2ac638c61bcdbc434fc74649e281bcb1381da2
SHA256 7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2
SHA512 ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

memory/3320-4-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/2644-5-0x0000000000401000-0x00000000004AF000-memory.dmp

C:\Users\Admin\TAsUckog\AUQMgoUM.exe

MD5 f143c3373c0a2495535121298d281e3c
SHA1 5a89751b8d99e33fe4875fd4aa5135bebf2cf614
SHA256 dad4765bba6406386230c349cf922698e8cb0daf88cf0bfec6e898028d029038
SHA512 49ba0bacdcb02dfe96e373862c9dd5f02535cd1eaf96990d1118d2552c8248e63c93460ce048029c3f3cb56bbedb8a32f6b5c9e6fe50da1eee33de81eeacaf66

C:\ProgramData\fqUAcgUk\IqAYYkcg.exe

MD5 b312a94971ee1f7ab6647d6ca379dbfd
SHA1 6e64b0d73c082e0b7cd5763d1f05d425b08640d2
SHA256 e0449efd7a1a6c11cff9a5b010cdc9b16b3c19508c7a33a8026acf5f85a108d0
SHA512 681d16f0b10bafea85b14931c762a291d94ae7714c2e06840c39a744a4f242da226324e33f989501775bce63271cb05305f29d1639a161b3d9d4b469c7200cbf

memory/3540-16-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\ProgramData\WOcsMYoM\sUIgwQws.exe

MD5 0ed5e4f5d8961a92c696ae8627280bf0
SHA1 723ff749af086a7cece9c79f12ad861f0b1a83ef
SHA256 f5eb4adbd37047681de359b38e00d813874f4ba56fafdbef0d97d6504e9f4a21
SHA512 911c90f6d1b6c59160b7e07bc36004bcca52fb2e65ca68bd9dcfe4c76ac12aa20d5efe100b179b6fbc20c3ac556b8652664b838926b11333384ef96b82af6e95

memory/4100-12-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/3392-19-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4764-22-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4764-30-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2772-34-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4916-31-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/3524-26-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2644-35-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/2644-38-0x0000000000401000-0x00000000004AF000-memory.dmp

memory/4100-44-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CwQu.exe

MD5 1da9e2880b743130acfd585c5029cea9
SHA1 4140001b7df89274b72ae0726b926727fd23a7ca
SHA256 0a5d3dda7465a13aedc850d4b9d9603954378bb55f3e546634c764462ee1879a
SHA512 6c9fa354b313a4e1780a6b06e2eaee8140035e6a900f7f8fd6968b7df2644befb5d35ef6659bfa1152252fdd1d2258272e5f7660468f1e373652fcec9fb9a840

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 c54948b2eed9fdceb6027ecd8c0f467a
SHA1 1ae0d9f0f19e64576a8152e73cb3a67d14d1c834
SHA256 683a63b72d1d341698f2362faf15587f20de2c796ad688e962432d019f7268c2
SHA512 d10bf8f74f93544d66bbd483636263131be6fd107f70f21097d948a6321f5a1086648dd9c3139e4f1858c08ca0d9cefb0b041a4893a86b65683010bbde28397b

C:\Users\Admin\AppData\Local\Temp\wMoA.exe

MD5 399e194e8ef9ef300909f4a9795daf7a
SHA1 bc9a23a237ec81e355d6f89bd4a83d526601da55
SHA256 c0066e04adb02c9b442be99be4bb396953db09a2dcd76413c1012815dca98295
SHA512 b189dd9b20301b9b7e204e769f9b305854e473b020d72c6b1a8022afd238e356480ca07129061beb926aac22bd8a2f255d7409db478bde9718d3ff68088b80ea

C:\Users\Admin\AppData\Local\Temp\qsIc.exe

MD5 f48d25fab01271e04c81403fd89c52aa
SHA1 6cfc00a9018940a8d8b79ed07441854fb6a66523
SHA256 3e547abf9abfccc5173ddec47457ccfda29d7a3f0c2861fb25aadea21a176935
SHA512 80de696691dea262011381aa5e4b848112567837fe2b964e964cacf96249262931be6bd975ab4158ed440b014e181bb8119b60b05eade006fd154be583dc6189

C:\Users\Admin\AppData\Local\Temp\yOYc.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\KQsu.exe

MD5 b6f9791ba5f5eb63e70eb4f907f0c523
SHA1 3a0ea6f5be24bdf90f41a5b46c4aeec8a71b4030
SHA256 f5bb44cddad1c9e3fef1b576f3af1f33f44b9a905f97c6e72d2baff3efd9c714
SHA512 1055fbc9552cd8a18ac12335ac28e085cdfb9af4f1d66a360f6919a7892ec3c15ab4d25a07255c58ebd5fcfd320ca26a11ba7ba883d4bea020be307db39b7fd4

C:\Users\Admin\AppData\Local\Temp\IgAy.exe

MD5 fbc4310ec4c1457cfaf2d99ad13b4d09
SHA1 fe66c24dfdfa0fbb5e94cede852bda361201cb4d
SHA256 19b174286f4750a9464a46e0e28cf706d928cc90ac6d37aeee911e73fc06a728
SHA512 5c3da75a7803e9195f6fd62ffa7c456611c6983f353718b6fbe3020ff5aad1edcddbbac4576d849160342c908811fe0323b3f6a1cd1e63ba218bde6682e86b3a

memory/3540-139-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ywMS.exe

MD5 9711c4d59ad7d43dc16032fabe044094
SHA1 897247113576e00f9beed0d1a931467a8c41dc4a
SHA256 19a512ec913fbf2f66e4fea3543adc114b479eb6d5a1f55886d07c4bff5b4a51
SHA512 19b14c6f154f979c7acf5089ca11cbca18bd9489de8feca905d08c41071a16b3ef440f22c60955b2a4c0b1e68b5df0fe775240fd6a4ca52d648e58f45785c9f2

C:\Users\Admin\AppData\Local\Temp\EoIO.exe

MD5 35b22b0c9719a5f9f533d11fd382da0e
SHA1 44457ae88262435b57c2b72441fcfb0adeae323f
SHA256 88f3424e8bc44f8e09a5ebbb97d4757382b9f3448420036cbd927d78d03bfee0
SHA512 4ff618d42e151d8a01e8b6c36b01d7a32772ef0c2c2064631e9d1083e62dfbbef9a554187798ab4e83773894ec6b6b236d12f3189a29e0ebfd17b2429e9ff5e0

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 c390b34b0b8f247b438af16d94fce227
SHA1 373c01f1229d03a9b27878bace236b20a8511bf7
SHA256 e505ab9ee0090ca49554a4ac855947331a36f6b5244a2ae679cb4c77d5dffdfe
SHA512 8806e4707588ad52bacb641dc32a3b5a020555289e55384977fae24bb4890a3165f14ef1442b0ee7575f4af6bf7dedb756cf2fdf3ef4b7b028b8213bb2ef7fe2

C:\Users\Admin\AppData\Local\Temp\ckMs.exe

MD5 18ed0a1540e7f76efd22fbd448842651
SHA1 630317eeaf826d5c386f347e0c87edda2398ce53
SHA256 d4dfb2ae03dec8e5916a52c27b00d2ec2f028ed017944bd73c9f490d17e9b110
SHA512 fd3bbd2fef534fba665acdf5b221a079b97100c1644e1728d0b86c0526709124ce4e8cfe1e950e03512d937d490550e7a3f8d9e299beba2a30bdeeb31f7c39dd

C:\Users\Admin\AppData\Local\Temp\SckW.exe

MD5 906ca5eebe07d9ff5f78ad0a72f4b5ba
SHA1 eb9388b1c73387b13b40130a38f06af8f0091190
SHA256 0bb3db7fbe3a7ee0360eeb1f2fc46fa5cccc8c354693080dae367ce41025cf36
SHA512 6dfd39610376578e6ee3e71c035288b78ab994285911291251ffd094028c33158412f81ca320921b423df5286d012e4d49046109039cafa0fcc973f21401a788

C:\Users\Admin\AppData\Local\Temp\wicM.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\IAQM.exe

MD5 6ffabf6864a68742a699cb242dadc11a
SHA1 9e109cd29c3d867fb7362b51a3923cddc1c41964
SHA256 acd5e972f55401d1888f80532ea0b2381d6492fccbb75a55f8dfc66f30111cb9
SHA512 528cc415799ca60c46e838b9c3c6daa947acba652742107a135b51e39c15a85efd261d38a7e76709a700c9b72e4c5e06a363393d3c63ae73402666a4594f1a66

C:\Users\Admin\AppData\Local\Temp\Mowy.exe

MD5 e41309f448ee6570b07547ac0e87fdd8
SHA1 61370f6178a166ea53efc64f79629087ca18c368
SHA256 1cba97b474c5710bfb960054abf942c83ce2b8091f465a900e486cf48811bab5
SHA512 be284b3e000d7c0f8eba96238b64ae28f6cfb2506223c040fdae6d46588aff0df38b6d106cf2eee1a12316dff5eec8014939c06b4eafe4692d5b86a30ee3402e

C:\Users\Admin\AppData\Local\Temp\SMQq.exe

MD5 bf49e0481416a1c58b7426a34b9dcb55
SHA1 faea4bb67dc85f4467ce20e25e1f9704048f024c
SHA256 1494330a95d4f66c879cfba5aee861877ed499c5757adf8dccda17a14330883e
SHA512 7d88ef46ff92ce2cb3471efa53ed0d44c72911a1171c5b6cd9dcd66e7cb085d16d3a5dff0043d707b2ba888aea4b610d46faabf7b62c9f9adbcef0370ecb31a0

C:\Users\Admin\AppData\Local\Temp\AQEo.exe

MD5 43d9b0184430b28e8cd481592daf5b09
SHA1 8edd996d731e76da7b3e7acc530535ce00045c1d
SHA256 dfe5cd6d09a6dccbebf2e188b082d37db545541fa0b1a35531cd2e0758b930fd
SHA512 22cfdfbc2246b526bc5efe85bca0dfbc717e904f8965c4322be7c4bf5e98431ecefe5fdfd731fcfabf69fdc4ae3782d61dd6d4d6c81ba94ea4d84cb91155d51c

C:\Users\Admin\AppData\Local\Temp\yQIm.exe

MD5 c6a20e14de8ae0f76f7da7f4a7dce0b6
SHA1 6cf42e3c869960fd4a1678f10e0c42b584aa27e2
SHA256 e470ecf40c28e6fd613e18053e6fd3f88bbd4f8b90f7b91fcaefc8e3d51148ff
SHA512 a9ad8b8a614c9b503aa4069f3c4f9c9538120612c32cf6d214fd9ab2bd7abcd19403a1473a654fd8e32bf28243545da7a689de604a6ac150e78fd843347faeff

C:\Users\Admin\AppData\Local\Temp\KUos.exe

MD5 25117407d933fece24e53e2f39240d06
SHA1 634aa5304cb29abc0d2177d67a231738d9bec226
SHA256 dab2ff0c7d2533e0258c101bc5f4643f2f491ee75acbf54e95cb4a9cc682ba6c
SHA512 f053d9f3c9db77717e1cda0899cbb84a5fbca0ca6da70b126fa19baef1f7307ed30d6c96a3a527b034ec59ea12e916b45464f3740f0de15cb69c38d8ced25cd5

C:\Users\Admin\AppData\Local\Temp\eQwO.exe

MD5 d8ba274df0ba9382c65490579a79d12b
SHA1 64413bf17234043acefea7875f7f4dc1638bc40e
SHA256 88fdd399e1a098307138d72a17836f9569b382dc2902a6767d85950a345284f8
SHA512 e1de3366afb6f1f33cf95cea0743732f8ef6aa471af3c67e4c6d11c68f18ce034cf6e9ff096026d971dc72bce3fd579a96deb3cd75f47fb946377492238d14c9

C:\Users\Admin\AppData\Local\Temp\UwAU.exe

MD5 da22e9c96b2a600d3eb12af21dcbdf48
SHA1 68e09a7e3db57339376415deef5b9b30deebf030
SHA256 3f8ba76e9a9d66ddb165bf5cbcf260bcd87b19e8adb61f28da5a64296761a215
SHA512 72a5f8cf3a32279278e764deb10e1d78b2d26cce4f6949a740b68993a206688a8a8336245a3cac97b15582d4fd2f9002151e11f446a2039bfef5a949d078efd9

C:\Users\Admin\AppData\Local\Temp\yYYs.exe

MD5 f9c6a2e8eee12f9e7ea897edaa01c304
SHA1 17c15d069ff7edd48d13e924c2329a4e4fe7e7db
SHA256 2b993acf29b2b711d579b1497e82df2de09a79f6b84c79baf42d0437892fc443
SHA512 c9dd58585cb14ec4d3992bb2140d3df32ccc95c56fd1edf9b88d6bece1a053ae9ec7c32f5c52f345ac9ab0de0e292430ccdf85dc731a4066df6eff77fa59b324

C:\Users\Admin\AppData\Local\Temp\OMEM.exe

MD5 951820ebbeb6e6480c1cc8f015bc1da4
SHA1 e946719ce62143172b34e9b1715c3a916a2915d5
SHA256 b1bbf471143ab2a62d169e59d1b8b0684c024da8b7dec441c2ed888f6d037025
SHA512 ca4212508b453d1eb3151f9ee51e10cc0b42b01cce05f7c58ac0416c43d46ef416d1e6120fdfdfc36b6d8a1bbe2d9c330241d667730cddfefbb9146366945cd0

memory/3392-356-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\soQS.exe

MD5 5d71e5cca34389d9d2676fc6fa5d31b1
SHA1 89b6055740e7fd3af4450dc407a266cbb3171218
SHA256 f2f8cce6f3063c80cacc7d2dff6ff3407951f18dcdb2a9a1ac6c1707d281e74b
SHA512 8f0f2863696d768b6aa599b26535654b1ead9dbb8a63bf15ccd9140fc0b90e11be1323dc7f25dceae3d9c74537403ac5aa0a78c4f1010ab5fe2de51f6cb297d9

C:\Users\Admin\AppData\Local\Temp\KkIO.exe

MD5 07d8b4128eff24822acece64aa2aa5df
SHA1 7cf936c59e66ea358df085025311a49576a68b23
SHA256 90fced71c7281378cd58b1afe9fd6d6293ea8171e0b15c44a7b42bb0457f497f
SHA512 54ac21e79fb19d126c5ed74c899ae540d3b74db610313eca26f804d087263fd1ba0d4fb0d23b59d77bd4e44f1b743e2d5b7c1a34241bc4ef53cfa6154b832af0

C:\Users\Admin\AppData\Local\Temp\eEAu.exe

MD5 da33e74e5a1c2fd338a9e4fcdf441440
SHA1 1577aa688fd510a482353687f1d49acf27e19b73
SHA256 36008babffc97cf1fc85fa453e6579c3929887ecb6b53bd7633e85ef8ee2531d
SHA512 afbc02ae5521a162da66334d40acfb8f52f6bac46015b2a8bd7f4b027998b43835261fd458dfd978db0edb0914e88fc7fee73d35535ea724f0f53a26d5407a83

C:\Users\Admin\AppData\Local\Temp\AQUm.exe

MD5 d6bd2aedd44e3ec80cf57925888f8b74
SHA1 80e45fa7965954d4c44faac7b9b51d8d386c6410
SHA256 7ca5b4b24501164ca0e3f8fbbbc5a88cded876bd7915f4f3ff7d96108d3364ef
SHA512 44cd44a46d4116833cc301fd3bd3f9b7f55fb32c106dc811ef1fa3cd4d6635f19de509471a0979687bfa38e9a0cb10c2934646add99c857d9b4cb232073b8fba

C:\Users\Admin\AppData\Local\Temp\MUYm.exe

MD5 e7b002fa0c282c993bc6d9094fa1d8e7
SHA1 5935d4dc2e7f73d938eae79e65f9795625a4270f
SHA256 21f735d5116f6ccb9b42bc588c960d8d70bf4578f33b83c75c7d900288c04026
SHA512 5213d8316aded28a6ba6d01c00f144bb9a4ed7d67c092b22e9951806ee713e549254ba72ddb95f8586a7b4f969b08de9ee55f512ad32051a792963b8c461d41e

C:\Users\Admin\AppData\Local\Temp\cskk.exe

MD5 b06a19e8feb95e71c59fd5e9de8431b2
SHA1 182ef8da32664ad4fb8e50df3fa51aebdd39e8bf
SHA256 3d22933cbccbc1e4663a874fedc7cae916ed0e9fcf5f1f3317dea503b366f1fb
SHA512 54d067bad94b803f2ef42337752a00849770743e4bca561e30765bf08cd9bb4c031b6401f55cfe7298fb34b43ad6dbb149b680d6a0a7204cbd6a099efe57e5be

C:\Users\Admin\AppData\Local\Temp\kQUw.exe

MD5 25c2916dc6df0d4144f644d074b2cd93
SHA1 ffbe601ab01004b12831cee37c4358814eda6ef3
SHA256 8c193a8c02234194d8aebb946cdc08ae03b4169d5eab3367b83dae7d4d6f9ed6
SHA512 13dc8c6fb37c65a2db82f1631c7aafd16bb4708af24955d321195e8b1120a95f9ff01ad7f96032ffba7a4d7de1a9596039dc1ece853af4e29890169fcb9087c6

C:\Users\Admin\AppData\Local\Temp\SwgU.exe

MD5 c47d40ac06e283be186126683d5cd510
SHA1 da7c387389d1cb42fb5334af07a5cd958381107c
SHA256 ec3af6483fcd654588e769db8e0c9efffadb0c0b71ab6eb88cad5371750b754d
SHA512 e51f1e206b70d0777613ed0410a07fbeb40f8a9e488cafbd511470aaec452c7674f10174ae8c1d76249be7aa997e7e82ab9104aa9aa2695daa4726b71d143f0d

C:\Users\Admin\AppData\Local\Temp\WwMe.exe

MD5 98348e7e92e5b1b9d50dbe032b9c6753
SHA1 5a7df2d4ef91afadbab121af374e49ceac954dfd
SHA256 0154c852ab46b2417658020931f8c5e7713a2c6c4b6813bf21ba87fa7f6c2232
SHA512 623b372a0e2e03c47a30ce80aa6a5090be76e183be75b9ef5e5cbbf7d698bd4462cf8978826ebb7cb58b34f0ab5fd483973615b88182868e34d5d8c7d844a3d3

C:\Users\Admin\AppData\Local\Temp\AEMO.exe

MD5 b64444d29b84147007fdc49275506176
SHA1 246a990146d8c3304d1f902d2dc79c1b2505a5d0
SHA256 e4dbee37e53619686b1fb0315c0fd5bb728126101d38ae6e036aae0bb92e01b0
SHA512 7419bf8b7f8ff07d8043d08000320e7fb94c11476b7c273df22100c7cd0341e5fa6ef223013ba571798831a960d4ba72cb54d95f7a1bb9c537699a3fd508e221

C:\Users\Admin\AppData\Local\Temp\SAIu.exe

MD5 307d2de44780f8f9503a1a2b5d91010e
SHA1 d80986a10253da41925e6377d4078729a64ed84a
SHA256 c7ca63e11d681aa591bb1cac1334858a6e4a55ac9ba7512b88ec10656d7d8a79
SHA512 8c2b4360a5eaaa8b43f91c0b6fa130c32d085c523a1a9e8812d86ada22bf4e3b0e3295b5ae8cd9ad28547a76f8a73b9a8f3c059dbb35c6ae7bb8066ef465e726

C:\Users\Admin\AppData\Local\Temp\cMwe.exe

MD5 80c71f50b0393898da58ef325420470e
SHA1 a8fd7648b1245548117665f880802ec0a94e6f3c
SHA256 e576708f4395ab7d8cd7713af9eabfe014e1682542743595c614579d763eefda
SHA512 5f43d5bc5be81bd65aa388622449f9919f9bfbb51b30b47909c1cc39ed9f33ec4e940e692dbd77d74e5b12e324bde304c80ad7dad38ccd93b023716bcb93c125

C:\Users\Admin\AppData\Local\Temp\Qcka.exe

MD5 246f0e5f22439f9355b8e36f3e5f5ed3
SHA1 89d3bfdba4111805c5a4f16e95d37b62718f3f7c
SHA256 d02de9d73ba6475296fc5154021b3871fe0aa8ae01106b1c9bb6eddd6ea12ea6
SHA512 82cc60d23b299a516c29afc58b066ea53d301762f282764874ef068554f32f8c7c4c37855c935cf3e43c701f9aa89d056ebb28bcfc8661cbc8b042be831a8f7f

C:\Users\Admin\AppData\Local\Temp\AoUe.exe

MD5 b6697f37e7a348a876188ee502b31159
SHA1 698a1b6eeb960cda5a40d72e7822e7f9d150498c
SHA256 ea0492fec72069e2199445380bd21dfd23f78227a66e9ad27f19884d3d721c5b
SHA512 0494038b224258a3bffaca34ceef62f81458e5e0914c8e519355cc4ac51a71cbf8e157d2cc1b8f10bf7b966e1909cd1e9ed89dac3df272932cf56305c3ff6e1d

C:\Users\Admin\AppData\Local\Temp\qQUu.exe

MD5 875107ca7400acea726f20decbe83d76
SHA1 57ecc18c1400e27cb43a830ddc93231b91b616b5
SHA256 22628ab007ddcb8d77ec28455756a2f7c5081f856a3f7e9bfdca0c05e67a273b
SHA512 d75cbb5275adfd216ceff373175375d2c1504ccc9a607a1636a89a582f150cfe424098ca09501750cce143329ceb2d8755b5332022d0b947382830bd383fcad2

C:\Users\Admin\AppData\Local\Temp\Wkoi.exe

MD5 9f89a5e7b389b57422f506a1a17a8a21
SHA1 59eacfeb47c3bb0e5d70f9f7635287bd88859343
SHA256 8f4515c778f33ba21294e5c6f28353390d206a1efc9d588193486ee8a0680bba
SHA512 ed4a7d12f4463171d3062180808427bbdbe68ba8e42269feb3a9dad97cd166919fd06e6d171a2b56327e1b5f2918f524e8e2dbff1c4f226bea8b4f6287291aba

C:\Users\Admin\AppData\Local\Temp\WEoQ.exe

MD5 13900e647add815a99b0dcc56aae6cee
SHA1 a109d8583deeb7819ee28625fe8a32b4f276803f
SHA256 234ba919461d9d35471b6f51cbb146c306620470024875cb6238e72ff638f4d6
SHA512 2d91b345802bd4d1528c8d55d5bbea46a042cccf79ce32d24b5e268e72d99002f85f9c12e37af3e433cf9620b5e3aa705098acb9ef2f77aa5f7e4f8652ee63a1

C:\Users\Admin\AppData\Local\Temp\iEAI.exe

MD5 02ba35c30553263e3aae81fbbfc7fd89
SHA1 20b9cc057a9ca8b3cb9a21041cdafb2dfcf51c19
SHA256 373b963697dd4a2d793f2a1914550bef1676577d6e7fc844951e63e2a09e44b3
SHA512 5736970778d93facb3f6807fd35abddb50914b2c79f382ece3d6fab2af6310d1412811fa7a6d189e7cd53887b3f2e54bfdb0754b5d35a99b9d6f1f3508915177

C:\Users\Admin\AppData\Local\Temp\QYQc.exe

MD5 1282d186fe28d50d40255879ce483312
SHA1 63dc6ff70fa6941680d728dc2ca38e51a0a8d7b1
SHA256 e041c262a77f268971cbdcd5324fd318acc0eca21ec173ea1f51968f9cca87c8
SHA512 df61c6d3fcc8cb2cae53b1a31ccdc879be0d5c32d4a910d2a5b5ab2261e5365db26dacc8ca9cf6ccd79272c6292301c8eeec85650eee8747ccd60fd7d6bbee70

C:\Users\Admin\AppData\Local\Temp\OQMu.exe

MD5 78a852373accd2254fe0e960157d14ed
SHA1 063dff4ec4befb3cd726e0468441fc5da13a5905
SHA256 83f9b4643ad319e10974ee12881184571e91056cf59b520e4fb5854161d21ca6
SHA512 ad4c4b791b67166763e1e0423b3b2229e84152340cc4c782fdf9414d91dd88b471aa0fce1095dfb9bc3c0760ff6b73a91699dcaef0fd4f553f652206012275cf

C:\Users\Admin\AppData\Local\Temp\ysAE.exe

MD5 3e8a663ec71a3a00f07e2b1ba809a049
SHA1 791a8896e1b15e4fcb74101d201762f94ffe8d74
SHA256 932c6a5e9c53b56ab259bbbd72a854970cb489b4c879ee507901377dfe3214de
SHA512 eaa28ab11c5a6cea808cb1e7987a3d50de2104b99a8b88b65f244cca4906480b15b77f57a222e5d794ce1f197445cadc50b442367f523ffbb77cc701f649f7cc

C:\Users\Admin\AppData\Local\Temp\IksW.exe

MD5 42e7fd597403333a0337760ffd54d234
SHA1 81f14b49df264ae9b592aea39397a8f2758de839
SHA256 b71a4873c9807aaab0728b147f1c662b7792868e42538a1f939ac1914ff2b897
SHA512 4b13b66a235fee611be628ed914bbea33a70897b55b13705aa38a5339ef27fa698665ea7e86a9fa82bc0e68f7fd191a704e836295627cb338a954655b0260f67

C:\Users\Admin\AppData\Local\Temp\GEYG.exe

MD5 8bbd11f7c70546add32c2c9feb3589a6
SHA1 0174359aeddb87fd54e8a9e6d794e1d2fba25402
SHA256 ab070c22623098fad1156f3effeecf33820c734ae3dd7b30708ed57fc3967677
SHA512 acaadddfaafe0c05f0f4c05a3861b86576c0010ccf6e3fef2aa3b59891f2903086c77846ebda9e7238fa5d9e04e95b32edd89c71c88b375befe78beae7ff31df

C:\Users\Admin\AppData\Local\Temp\uowo.exe

MD5 60ce7a2f0602f0ae317e0004cd8aa652
SHA1 3dfdd209527fd2b24a913d8d3f459996f0a0c8ad
SHA256 2d1f25356f374f7ba3214ccc735eff3090df5d8ebb56a48a90a7cd82a6575303
SHA512 22b93fdb4d4e82419c1a7b9cc02936cfb0026ca4f2049c5969557bf976ebea1056ec9cf95a2f40189dd17742f43a63fcfbf23f430d0757f156c16dd3b17470f3

C:\Users\Admin\AppData\Local\Temp\wIUq.exe

MD5 fada215b0a82cacd7cfeeb80c1b958ee
SHA1 e86502799f4abd5686827fcfc4c00e25459297b7
SHA256 f1a7f18e8e14d8a663fe884fd2cf176dbb5be0035a8eef56524dfd81b66ca302
SHA512 3a8a62d6888a88a6cd0c289f09999fe9158928824f6ade45aead7c0f4e42acff5d9f87f97d4ce1093268e20db2bddb7680bb2d4919303e11d3d6f4c29d773d3b

C:\Users\Admin\AppData\Local\Temp\GgUi.exe

MD5 90462cf1f7ea7e8cac9fe8f17bc14807
SHA1 5d043ca620ff5af0684177182d6a97bad34080c1
SHA256 448b1802332a3557ad117c1e67a8acd2f0ed3b4b9aa9111b8739613f1318996c
SHA512 2797dd92cd9966fe569108d2891ca4ebe965c20a14a4100cd6ffb7c35ac202832e881d195b3fcc0e9805707e8cb07aca36ff1b2549e8c6a66c36ed52fd0e081c

C:\Users\Admin\AppData\Local\Temp\cYwU.exe

MD5 ff23846fb369a8f029d6087321120817
SHA1 a32b42223933719d7b3abe727844af4160155639
SHA256 6fc2e8965771a2b56b91fd5a6368b9854296a35b804b299747bb8214c9ebad0c
SHA512 25965a0bd41f9c61bcca03e1dac48583b8f329e96f69571184a62f1a581d32655087ffd1f14f2c8251895c2b87bf8209e7e2cc620539abd823d11b23f846583b

C:\Users\Admin\AppData\Local\Temp\OQIc.exe

MD5 d1560770b1c4a3bb3d271eaaf2e7b54f
SHA1 128d9d6d3e68d3d3ef8dd94e40c5b1030b73623e
SHA256 9360d3d418c4f928b8ab1087abe6463d81d36976d50d644635842a1537d913df
SHA512 84e44329b4b8404abb1668414728e3b2bcdfc4b63c8f8db3e272cc836a0db55a25cc2ed38118f653b1a7bf16be88f8c8f1bff93d80fbfbc4d8b95413b6cc8bc8

C:\Users\Admin\AppData\Local\Temp\KYIU.exe

MD5 b9c6d5f25e6dc56e74340d0e1ae7d9a3
SHA1 8073f10d898b5f3a5f2a0b5c6ccb69fdab116f36
SHA256 b11aa554dd8a3dbe6d116b89680079852f452271e68948a625715e28e6cda8cb
SHA512 ee4c399734157d26e68fd99fd17c35d881ad14ccb8b7b384067b54a3430b8a868082f86bb8a178b2f979a07cb28cc472d75dcc4e46ff46d2bbf77a5a497aa341

C:\Users\Admin\AppData\Local\Temp\wYQw.exe

MD5 b4d7355277feb50d51212df7f2601a85
SHA1 ad923cf9643897d38ff28cbff6af96049dbd166d
SHA256 11079bd479bbfc0c19fae9ac5cb64ef1c2810a74961ec76e012aceedbf6e29b4
SHA512 d5b3d5b34be7d6e3c830e279ac0029458b76556cb8685c550cc1ba9ccdee1f672c8a7ddea319f8f1b34b23fa588071f27e9a2e4cdc39030ebbd5d80c2666bc1e

C:\Users\Admin\AppData\Local\Temp\KgEE.exe

MD5 1c0f425bf9a0cd73caed55ddce31be38
SHA1 b5ef24ace57452d0adb1fbaef2afc22984e17af4
SHA256 d684459406ca64ccb5263d3016f45d67b6ef49a96b9a1053d7d87c49f7206e3e
SHA512 9cd64da28f53fc584ea87890a6f09f6ba8ec1bb969fea5e62a510db9bb82d663a505488832d0677c6f168873bd1a8ca0a26ffc2aedf72e7233fc751ea5dd0eb8

C:\Users\Admin\AppData\Local\Temp\gEIY.exe

MD5 5bc755d21b8ea5714b71db68040c248b
SHA1 e9a2574025c1885dfae60e6908ef3ec4fcc62c18
SHA256 dc126c3e777a6b8ead240b531ec145360560491d76860d3989a65a369730b59a
SHA512 13edb68098f91ee1c5a2978dd024b301a93587919b6d51bcb8cceb20bc102c7d27d760541c5cc187d81324e45e88f582c81e68cbbe83f5c405102af79b96d409

C:\Users\Admin\AppData\Local\Temp\uMwG.exe

MD5 b3bd627cf7d90684b7b670498948e27f
SHA1 a14ec1863373c2be0035e2ae8225de830833f9cd
SHA256 f6fdb6f783aee3f9cc662ffb120efadeb8ddad107cfd73c98f91d21566d5670a
SHA512 8a3906be062c60f49e2b21393034cbd176e975e0700d2321fc16f88600addbd07c1b6ac1dafabcf2323b1717d2f612ddb146ce9f18ac83f5e4d051ed8466b4b8

C:\Users\Admin\AppData\Local\Temp\icws.exe

MD5 f34d4081484395e35224a989b089fa35
SHA1 b82c05cacd18c47340fcee460b9c0901363979c6
SHA256 f968114a3f1a4c741caf68946fb03b8a1b96d553367124676450fa946b0f0081
SHA512 4970654b22b301d0ca356fc59604be4ec01a973dc649710cf9674233c18d0fc2b8211ece339df066031b5a1db507eaf07c6286c06a075b6bca31f674a786741d

C:\Users\Admin\AppData\Local\Temp\Okwa.exe

MD5 d06c87401f93264b2579e038e57306f1
SHA1 9e77d9f417def3e4f68aa83d1b5170dd081a80b9
SHA256 d9078f587d65a850daa39a9b3595d9222d9aeca8bacb06b9dfbb1996e54e3c9c
SHA512 cc4265ce83480c2373b2c6e5545aa258beb55bf7c5d518c3d3bb36384c064449af9380c58bd5e16303f113434c912b7d2390fd895b82fec25d36795123958960

C:\Users\Admin\AppData\Local\Temp\IQMG.exe

MD5 dc3e358b26e08d4411f174e5fa16cc7d
SHA1 ea49423955352167b4380cc2b83d4e061669372c
SHA256 a13cccac3d2dd3c2ad21217cdcbce8a2731d971df72c414e715922d7ecc7f69f
SHA512 339d54729b3fb37d695a76e3fe0baa9f4be0bab41733c59c34a7ad1f9a27fbb938966146e5cf64201b7335bb8148f33f2cddfe6d2d2051401c91897a33bddb25

C:\Users\Admin\AppData\Local\Temp\mkIW.exe

MD5 535289c628826d46c94de14d5c684fa5
SHA1 aaf434e0426eb1fd796fb63e4d23e36f06bcc1fb
SHA256 785ebcb6d59fa6d0787b8f1dbd563e8fc53e1c98a7af05e613b46157ea192c06
SHA512 c7c6ca7fcd39160955c119815a82d1c1fff668a50aa511767cec2cd44c03aaaa76d2186fad7d6a3c87804866e31087e45e4d1e10ab4d67ffec1c07e83107ebfa

C:\Users\Admin\AppData\Local\Temp\aAcq.exe

MD5 219c1aa91c576032558b6686bce12a4a
SHA1 834b072540ffd0746291b1c9bc266896ebfb0d40
SHA256 c49333fc4e62d702bfad2b75def439a0b6064d0fad08be213e3cef55932d0a65
SHA512 d6ca4db3e25155eee901aa91f9f8ac8fd856b6fee6f42d4aefae79f66a664676d8d05e3d5f4285c993efe1bd542aaddf04ec6ec222548551618e7b8d1595fc01

C:\Users\Admin\AppData\Local\Temp\wIwW.exe

MD5 597ba4e78cca725861f773d94ba9497a
SHA1 bd943a8beff7d80c87f156ca41100f5a16e55320
SHA256 67936d2b9fd7c77ec1af71f918ba20ec5df05a53941f7da2a05f11dd087e53f2
SHA512 d2419e92e769de06ba0920f3f999d157cf42e9bdeb36cd814aa32f9615348b793fe1d7c2fd1caf45b944c30d5709fdeca4777cf699c2d593f303f3f07a99842b

C:\Users\Admin\AppData\Local\Temp\Kgcg.exe

MD5 0bfe37dd7d59dda46d7f22c747eadf28
SHA1 1941922e82281bfdc7486e65d7b6ffa87d3f5a6f
SHA256 0de355159ce2bed4a6b681f911830e383d1f2cbf12dae1cb6c597a024335a3e4
SHA512 5190db16d6e6bd2d4c0900ab4d4e32f286391d610cc94bbe52241939df6d619778f876e0a0dd5e802007fb7ae267f6256017c1dc709dc6a893e03f5fc4673bb7

C:\Users\Admin\AppData\Local\Temp\WQQO.exe

MD5 12680c54da491fd69132dea9d9e13402
SHA1 39ef55601a91d500f9043395f8ac073b653c543b
SHA256 01a903d0ea3d1ba18e4b678bb941d517bbce461d665a550ef7939068d8a8a828
SHA512 05ee013053264be61c1d7d77f2d7aeba2b89efb22ef7052200c45183a1e1c465ba226e6c4e42a8e2493bf05326caa6b77324d120de2dd7cd7dd637c9e17f6844

C:\Users\Admin\AppData\Local\Temp\EYAW.exe

MD5 dd9d545e86e19a2d707ad5cf400d7815
SHA1 6c5005ea30ca32a607a602da15e762334ee4ce51
SHA256 d22fdc8f60590d778796c4b28dc84f8ffd6661a5e655248fb645b41ebe761a4e
SHA512 ab3104ecc2b5462cb0fa8cb9f52012a8fc4e095d2bdeae1d2a7e953012703877cffb6c7a5668d88df7da51b65f7fc3f8e8e523f1910577c3ba8b31a1a063c5eb

C:\Users\Admin\AppData\Local\Temp\ggUQ.exe

MD5 796d564a2c5cb70a7e1adf87bdc89029
SHA1 cf4b3a20f140e4200345ee79ddfa36a7ba278e14
SHA256 f34d452422c070ef3df08023469d534559f191b12dcf9986ce2faed8be3e70ee
SHA512 bc370910dd5207d2938ae9c1e5635657cea322bf3caa6ea319ac98dea4b299c8bc057b5aba442c493ae92b8ac78b75f6eb49a9ce0a6cd4869d940a6e9dcbd7c3

C:\Users\Admin\AppData\Local\Temp\KAwm.exe

MD5 1c6cc8e42db63bcca066143463294f45
SHA1 d3d70084aed3245d243a55300bd76f663d757fbc
SHA256 30c48072f5be5685925af6aabe9be34227399ec8e6c2ff782c0b4c1980f5a2b9
SHA512 c578992590c7c4564632e63f0457a7adb4078cfa618d9ef52d557422964878e0afffc5c36a3b73b6079bcdc683aef4314c39de63a15fb6478b16e9e29942c422

C:\Users\Admin\AppData\Local\Temp\cosA.exe

MD5 8c5d80f11cffc9c194daf68e7ffcfb1f
SHA1 adbaff8596e11152eae7e797f46c9d75eaddd0b1
SHA256 b5016169da544043a6271caf0b5f2341d8e4fd6409233c8a7543cca112a0b8ea
SHA512 d098255b5f014f2b698808c378689f4dcd2c4393c28b920ab7fbdfebec1df762a342807fb65f39cfdafb8c1049703c333d8a65f8aa9da9a220452297f75294af

C:\Users\Admin\AppData\Local\Temp\qAcQ.exe

MD5 a4e9c6ee822e77fe541fc9ca9a725ed4
SHA1 f7cf07a89d42fd42521f066fa605bb0a4969b8c4
SHA256 d0338cf1925c5509e92b8e71dbfc349bea2c386462839a0a8735e785e3edac07
SHA512 c07c4ca0734f9036d068e3049df05bf864f79dced2960c85bbdaad31060e0790975cbf9d7f61ce68fcc51b4276a7e8978acd6abfddf24bef50d4c8c0cbcce080

C:\Users\Admin\Desktop\EnableExit.docx.exe

MD5 2acdeeb552db041fed86b2e7f4bbe024
SHA1 18dfc73a97974f3d459a540459382d29ae52087f
SHA256 b514a6988b803e486170c4f83a9a74677325a78e3faad5550f1cfe8ed39cc163
SHA512 f99cfe898a563bec60ccf2f726c51bd4bfa8cd6152571df849128879d9b655bdd1dbf1ebbba9c24bd31342712765205fd4ce558e05383f4456312de6634a1a64

C:\Users\Admin\AppData\Local\Temp\qwYW.exe

MD5 20d96f3611556ee46ec52c120e71291f
SHA1 501fab95910a8a8c084ee2b4b7aa97ae2333e45a
SHA256 49f15f77bb439222c8b428c3c3e191e2a2ba566ab9a9b9e9318c769e8823c27d
SHA512 51fad2f7116be813d2d86f44f14bbce5698fba8438f73f253426b2c397641bf8c24d40153dbc13934930d428fa4f78545df82ed7bd7aa6a6a73c26440114900e

C:\Users\Admin\AppData\Local\Temp\sscO.exe

MD5 0a20bcb96c5450fe5649424bbbfcd5a5
SHA1 a01b70eaba3d084d4f5d7167c5a41b096e039de5
SHA256 0d8df8eaf1c7fbbd8810d5d288a5232b3ced7179d8c55111dfee8fc0154c587d
SHA512 d1004362c7db9e41ee4ef008c8fd6ffab9fc71bdce5b4bd059f5639955a5895c933a52d29a83a9585fb34b41580ca99c33b15cfdaf4a6627ab24bc928772d5c3

C:\Users\Admin\AppData\Local\Temp\ewAW.exe

MD5 b118ada3730ab4a08cdb3deaa9be58d1
SHA1 da0244965ef6a4767c8423877f4e08cbd555eb1f
SHA256 034e741b91dc2b95a42a35812d97a18b216449aed85b326fc148e27fec484f0d
SHA512 68d43ef056b79a9f4ad20d6d240ff64b6af7c4247185cb30747a030aac7f57bfb354fda824d994fc5f0b6e99e823148fa41eecdb90d4918bb8ee93af0849179a

C:\Users\Admin\AppData\Local\Temp\GMQe.exe

MD5 307ef094a3c03151c0d45a4e2f912996
SHA1 dab860b6451b4bf98bb45a63df4dc99c5bfbc5b4
SHA256 0b02f071a762a71789c8adeb8a809dfdc11a4a2f6dcf3bfd1d088d7c53431795
SHA512 36bc022a8d93e954c0800e7787328b260b5a348a6b33eab22368159c9ce2f942d574c11bf2007894645815cb08267bebd7eb4058a4f0fc82a2d739adc224c8c8

C:\Users\Admin\AppData\Local\Temp\MMME.exe

MD5 8e1e81cb0ddc9d42aa9e03ba24beb6e2
SHA1 e6ccc15cbc7e59c15af5c6df33461d8ade48cad1
SHA256 622fac779d1f39a5a6fb65f0b568c7e781bfd52b35ec74fbdf8520f6f391b6d6
SHA512 56459f6e22cc4b8eea61af3d01089e53af435237db41250dad58e00329781e9427296ea80b6ddd450d65499a6d90a39946fe8f57bd27b261f9ae9cc3cb947306

C:\Users\Admin\AppData\Local\Temp\wwwk.exe

MD5 51c8cc50b8b0b0ef31ac50d58ab4b547
SHA1 f02e61ed1b29d908e6f56d49c730236ac4160248
SHA256 29766d0b3af16ff53bbf6b5f634f2c0ea852f22a3a197ac9be775f47683b3fc7
SHA512 7588bbed6ff74c9f32d345380f71cd6196d27f4ccdf594af9d22acc33a12ce1f821a13054bb10e1f7f64766d2a8677b5e854836d30db61b4cf5618854e1bd49e

C:\Users\Admin\AppData\Local\Temp\omkM.ico

MD5 951d9e1744712a1cab7a5f3f15935229
SHA1 ab3fb88a9610c38adb58cc9542db16d4f452cf6f
SHA256 114dae4c54ca426f78e50998727dac92942261d71ca5b2dbaf413794dcf8ad82
SHA512 9577444338ba09d5b16386100612c7e3ecb897d8ed4801f5992ae4522e45603b797475c15cd29c72446d19ee3ee9aef9a3d82e98657051b2377dbb4925dce6ee

C:\Users\Admin\AppData\Local\Temp\GMQO.exe

MD5 2a69078cc9ed116ebc3871abc929ced2
SHA1 50d037b0c223668676072dfc2b18c4e4d751645c
SHA256 b3e323f8f725d1cf4780a32a50c7085c80d757d5bac5cf9ddb76d3ce2d8d4fdd
SHA512 2c28677d9a19c57d23b86c06b95ab0a06bb80b50bd71525bd7a29674bbac73cf0bdd6e24a30272446063e8753aa8692d85c7296073b79721039cb1b3abb0c3a7

C:\Users\Admin\AppData\Local\Temp\okUi.exe

MD5 c78ed553840bafb0e5724712521c6507
SHA1 f5de0fdc1bf800c306d626d4566af24e3c217ec7
SHA256 885c60a805f639d11af05155f038b392a4135fc3c73d5c419c7c64e7a1ea837a
SHA512 262d7fb2cab703e7225ad7513d2f785a23c3431a21aef8e9421582c38c66c4f83a964583676f5de77ee8065e7f5a8c1a32d0a7d4cf223f50ef35d7d540198964

C:\Users\Admin\AppData\Local\Temp\KQwg.exe

MD5 36cb248fd2b5a43551ef9f2a408b40fc
SHA1 76f30bab578d9f88dd07267f3a5c64a4ef10beb0
SHA256 09d38e2b47a5d3d6e3e1cd40f60891a7d0795840f38c4b2a33b430ec9a20f10f
SHA512 486f29c971acd4462ede9d3be882233579c266bf703158318978b7718f3dee3321073bed71690d0db473115658a773b455749010612cdb1962e6d982534a48f6

C:\Users\Admin\AppData\Local\Temp\gIQA.exe

MD5 a9627516e7075b2bae05154cffacff3a
SHA1 dc79ae1efc93a42ef566fb13d9d6a040527ea12d
SHA256 bc1768a87f36d191a4e7d933d554eda04ea49c70085978a5d1216983eff6e8f2
SHA512 1c7b3e26a4a869bd5cfaa0c6311e2cfc3d68025123eb04d2e32ac33a540202f97c2a1bf6ad14cc4b598523573595b92ba3f7e67cda90c66ea90e6a6af06f3d5d

C:\Users\Admin\AppData\Local\Temp\wMsY.exe

MD5 8af8d3e902a086bbe793a048ec8e2387
SHA1 e170ec78ce011f792874d53a0925a8e7e0ae9e61
SHA256 12e7d60f26af63c8c2f7db4608b97cd2215915cd42db443c9ce2df88365d1677
SHA512 17fea34707dc23104da5adace6ab68093736bd7f3a1709d63900d0bd971880df817536fcf07201edc24937e8f2f48935915f2a70470cc34dee51f61e3ae2f725

C:\Users\Admin\AppData\Local\Temp\Cwcu.exe

MD5 bace73bf502eb11c6caa2d92627faa5f
SHA1 a70c017469eba4be74122d84fb6885cfff55bce2
SHA256 7392bc8eadb8a49306bba3115f5993a7721d9d4968e17d369e30f9e2ae31c442
SHA512 1c1dd486482e1accfcb1c2cc9e181d82ef697329a66fa9ea4a0ffe206d01fcc10968cd2aa923cb9a2b88202bc6bce5b9e9706e2b6d3d51376db2b2f62b25c4ca

C:\Users\Admin\AppData\Local\Temp\uAQe.exe

MD5 de35cf38f7d9c410e854c9d11e47414c
SHA1 19e4067896f88f77301e444b7cc3c041ec4c8443
SHA256 709062b44b1d80739281d93d8ca2662878013d92ba78526c6f92be814dc066df
SHA512 33568d06051c712e3971e352fd2d103ab1ca436924718f6c01587cb4e8f09a4fd5a4cce5331312bc9a1c7783a2c52a192999ebe3cca2ce1ef1f60a13edf2aa51

C:\Users\Admin\AppData\Local\Temp\SAMe.exe

MD5 b4980a78d79fd0e030a036bb3985eec9
SHA1 8dc69b429687500f343194f725614f9aa4d3eb01
SHA256 5003e290b1dc92cbbf792ea0333f828ea41cb0582a9c121b3c032af10ebab4a5
SHA512 1a47fd0fe15acb471570caadde03019ce4f14a1739309a2a6c2345de22eccb0bd91eebbe201978399318043f0e20c2c74dc234426b0cee206223799163f2057a

C:\Users\Admin\AppData\Local\Temp\IwEY.exe

MD5 0defe678b3eebdcc8e2a74b218ab7517
SHA1 7299e1e60c66732bbb56cb16f00b4282cdcd6392
SHA256 ae15e89ae7242b5c6b0b45756eeff374ef68378873c19d9a5ac5ebeba009dc92
SHA512 d028ff1620f0d482c60287fa79eee1ba3dc313415f90b93c0a89f0c948072f4647d58f4f30b7b5451a7cc6c60fdb884989fc7ba3836f916328328d63e08aa1e6

C:\Users\Admin\AppData\Local\Temp\mQoO.exe

MD5 300241f948235ab57e363a3b0305c7b7
SHA1 3a0259f5620d6149fa8c8068d6ae85079839c8e5
SHA256 44de42ea1169fdf069dd9bdb72ddd8aec86da670ef7e50fe68a65717969475f9
SHA512 7f1f72a00c219591f4adc50c45da7cb24de7e795a171d372aef9331f153fa2149e722728e66418e201ce94ad23b9527721dc506aef41e22e607d76342e11aa3d

C:\Users\Admin\AppData\Local\Temp\oQUu.exe

MD5 64b3c4c1e5c9d3068de45aea0dde91b5
SHA1 d5c1c51be951b422c451ce7baca6d2c69e0be897
SHA256 f1b546ca66c9e427d329c43f46fdd1f8b9e809be8adb19b70fa759eed3bc4335
SHA512 efabe126b6e8e80d1111b17c009a03d84ea37515df6a0b2e2e24587e44587e482aa1657efe10634755b8d40cb3af77d919d064bb3a431f7646abd6e5d2b7e550

C:\Users\Admin\AppData\Local\Temp\yEUY.exe

MD5 ca29aa99805d235d7fc5ccadfee5186a
SHA1 b6426fa0a9f361f4e6fd5caffc2bbc7586d73e4f
SHA256 a969840690832a80f90547242df01df5c2d79e66d0405d8d75cedb31cf9fe6af
SHA512 e9d7d273d9c88501fecaf283e367a33d22c55e54e8c750f9f33999c4c301d97ce6a150cdd40c282952c3f7b22fefea5eb2721db842eec86d7641ce2d95ebbd25

C:\Users\Admin\AppData\Local\Temp\eMUI.ico

MD5 ace522945d3d0ff3b6d96abef56e1427
SHA1 d71140c9657fd1b0d6e4ab8484b6cfe544616201
SHA256 daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd
SHA512 8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

C:\Users\Admin\AppData\Local\Temp\kYIO.exe

MD5 c1b92e3ffb49afbc3a615705dea5a92a
SHA1 f0984130598c0ae1283a549be7ba9a87a0f21ac4
SHA256 7ee1bb999343320a46bcc6d7dcfc14c1a9b9e9efada62cffa4a5ae6ea3d5f6b6
SHA512 cbf8adf4bfe68633a286d036ad39d77532e6c05271b206ee4b9a70bf651890d3f1208a42252f622de4a623fffe5dbb6dd45d480be15bfae8d15ea1cafd67b240

C:\Users\Admin\AppData\Local\Temp\qmIg.ico

MD5 7ebb1c3b3f5ee39434e36aeb4c07ee8b
SHA1 7b4e7562e3a12b37862e0d5ecf94581ec130658f
SHA256 be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742
SHA512 2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

C:\Users\Admin\AppData\Local\Temp\wEcg.exe

MD5 5bafc05b8ff2bf359b70ecf7c2fc4d17
SHA1 2b9764f08bdc6ade98c8625b8d72cfce644eb139
SHA256 0f1c2c851bac7f14e77f683eb201f1eb2c0e3e6ec09e300db5b027f4c698d7c1
SHA512 170babb920ca20222cd055d61a8fa9ae1338ac2749f56a185274df390ad29b4fcb13298436976a1287eb6986342cac00fb430c940e7bb943af3a55b9cddc1121

C:\Users\Admin\AppData\Local\Temp\KoUW.exe

MD5 f926dbe8cbd8b0106b9c010fb06ffb97
SHA1 2ad0b0d79c5967cb60197f18872340f346b8e0ba
SHA256 5debc68ba18aaeadc70b0b3a4d579a4bf4e6688a9ee6a99c78cb222b9758cca6
SHA512 5f2188decddaf4ea1b65bef085f5c3b64ddfa007fbd7da39a87b0601099e1f57ab60ea05f105fe6016fe147b66b5510d2c6ab2ca838072a18ddb7e44836b8b5c

C:\Users\Admin\AppData\Local\Temp\IYsm.exe

MD5 942a58866cc8ea367f047d3823ead43e
SHA1 9303650029589a731d702482b4e93be0ed429f0d
SHA256 8af6ba83b8a179ed8550bd026d02decc938db261523faae6b1b7f878d861e08d
SHA512 1f2f749b471fac098b2f7059670e9fa9590502e6a7433ef765bb29ea0aebf44aa39906a19d75b33841cd4d102e85bd97048dd6b208a7c84dc4153ec09ddee453

C:\Users\Admin\AppData\Local\Temp\UQgg.exe

MD5 8b7847c55bb08ab90bf8db613667ef1a
SHA1 bc5ea5b3ee4e6c8da623cec12559edd48f005f01
SHA256 f2e8e0afbf2e576d13ad7863c952be42ce423cb2a132fe18c012fb3ff7cd3c5f
SHA512 23d192409e04af770485f5ab0c2c9b63f015bfd3077e2b8e1a6a45eeef7009de4c7591355f584a9df936acf7ee20a16c151b2044ea36d2373d37779ada5726d0

C:\Users\Admin\AppData\Local\Temp\cKEU.ico

MD5 c7fffc3e71c7197b5f9daaea510aac10
SHA1 23262fb8038c093ac32d6a34effbede5de5e880d
SHA256 71254090503179540435a1283d04301f3d5ba48855ae8c361d4ac86e3abd2865
SHA512 c3cefdb76a9fc74299a7042096a549e019db3f2cf79e81deeabab2f3ebf2bbc9f2924a84cbbbc4848a4bf84cc3a0886c6c738c6bb37c9140dfc57f1f797e9c1c

C:\Users\Admin\AppData\Local\Temp\aQUC.exe

MD5 14d1538dcd345220ad3af2ab07903d2b
SHA1 6592f793120fc396a0d527dac9efaee63cd2ee7f
SHA256 3bf8ce10ad15b3904fcf037f73fb16decacdab8975a7333b8f7bae6c06b75e1f
SHA512 a7298ef6b5efb89237f44386742e4e534347d170ae7803cc1077022978c0377c0a13a30544d9ac3cf5523d76386f85117a9ff35d40d0808e0ca13da11c2a6a13

C:\Users\Admin\AppData\Local\Temp\GcsW.exe

MD5 700aa491e204d7983a63d47c8779c1d5
SHA1 9f343b53ef6665632c783b4a3a5efc7d9f0b44ed
SHA256 c48175d6b199095deab0fc82b77e22f2ad3d5c01933bbbf4bd6e2ee53a80f10f
SHA512 180f02a43d3a42eb66c5ec6578c7c8ee582ead9c3b00ceb9200d5dc80cd584df42a58cb9b58be204efecfd8feb8b0e60b3ccb0271a1de39821533a402f99b34f

C:\Users\Admin\AppData\Local\Temp\SggW.exe

MD5 b24925b6cac7ec2e4795dcd289b46b92
SHA1 5792687fd7581f33d61bd9280dfea0c5bb806666
SHA256 0de4d0d3b95a760c5c4e6817e7c468063ab2ac292cef192a1e1f3604e7fccee5
SHA512 2a694042bf0a358e7eb3c0b489eb59c7a741ca259c0878481b990a8083a94ebb0282f0f6b9621345cc2587936eb8b1117959aa13d2c2be3c21c1581223e1d49d

C:\Users\Admin\AppData\Local\Temp\sEcw.exe

MD5 691deb988a1ffa2918ee60c73a6c2345
SHA1 d70963a01e198c3366add3b71d3ea087d33bb80e
SHA256 30fca5569813defab5b6c3afab03e8c4e8f4936e8d94a55f5f3d0527fa81e12b
SHA512 33cb7a4d94bf960dc5818955bf2617565777fd844e1516fec80b8867e69c2554cbc36ca92137b679ccd18f665ed67e034d13f2f711bfbe35897288a6d1542213

C:\Users\Admin\AppData\Local\Temp\OUcg.exe

MD5 35d50292abc8ff17b9d7d8e2c719e70e
SHA1 05a3f8456b86c7a3814f34edaeeb229ff16ce94d
SHA256 93449297ef1485e3e0c1f948c449c342dcbc9c268bdcdcd764a9438015ab2300
SHA512 2a410aa40d801be735f4726c0f4a43f7bd199528143bd09df3afc33a412d794f74811e161136b84f6f86c5c0e91c56b74051c067029a9e74f5a3798f54687a4a

C:\Users\Admin\AppData\Local\Temp\EMkk.exe

MD5 23a95623476d0a77b836f76102e92c0f
SHA1 8377447b3583b23a6f7fdad3ce8e98aa103fdaad
SHA256 3e5a0b566e4c22e515fee2d1a8b3aa292508057ec28bd6de81c27f867a62d530
SHA512 2b4057967a91169b0f37fe5dc5099870907fb53488418ebd3af3500960da2409db293dcbb0e6e6576bc64f6a45d827bc4bdcf542952c80d47aa51ec0909bdc86

C:\Users\Admin\AppData\Local\Temp\yUku.exe

MD5 eb5b375f6d76941d7bbd96882f4f711e
SHA1 f4eb1ca53cf7289548b16d330742a1b6c4efe89d
SHA256 e389a316a16f14964d0c891591b8725eac8c8b2ac2b9b3f747a1b3a9246050db
SHA512 b0353cc83ee5aedb63943666645a404206bf2db2c17edc88aa3ac003a028f13bab03425b96f255471d090b3b7935ea10617111023854b89cbc414e3066757476

C:\Users\Admin\AppData\Local\Temp\CIsM.exe

MD5 68f6c708bb26b5761ccb2712f835e17f
SHA1 669bff5d528fb050a2fe80ca709607faf74519da
SHA256 8a1e0f3ba2acc34cbcb17eaec1135af7038c6ef2e51bc5062f9eacd164485ec3
SHA512 8c29b8bdfcbe50cfb290ed453465525cc96b91b06bdc1a6d3ab76a5a93512110382725e48d3dc16824157d8fe17c64730eccc7858598755a3189c51f879cd331

C:\Users\Admin\AppData\Local\Temp\gisc.ico

MD5 03c62b34b94a861c4f99017a91bc749e
SHA1 2ca36583370792d9d56be7e5db98417188adf5a6
SHA256 6b1018b4e474afacb1c54331284d85fdbc2bb5e945466dcbda91231feeac5fd4
SHA512 4260811ca36c05c15db789932b24767db68b0dfa1a0590e8d4f69328e208c38693e978d892e0d229756a8ab9092265e19b0a0da132f0542f8460be54ba6371f3

C:\Users\Admin\AppData\Local\Temp\eMcQ.exe

MD5 06799c4666406ed739be0b53e74fb162
SHA1 ace6e174c3a3c34f2d3252dd2f6387456603cab1
SHA256 9b163c957b3e8f18be99273e88f956e5f39f8c68a8e3271443bfae4b0f7e0017
SHA512 f474976fc459467a4eba166b22073b2209f141b10e8fd3d8c465c1d470f96b931d7861b675b4574f25b12ee2e65593b81bfe4c88e5353cd1c14012ee539f4332

C:\Users\Admin\AppData\Local\Temp\Cssc.exe

MD5 622754e6e9f8d2d1d6f4c50a3af4966f
SHA1 402cee4c1401f4d74178ed1655a3f6f7ef29f9f1
SHA256 7e0e8226771f8442c67ba364ed2e6aabb30a9c86b68e8f9bb521920d5070ca33
SHA512 8048a5f325290ea163f31d392356617f64393bec74c1e5c25864a9234125a3b2f34321a60db4d645328dad2af761d5a0eefd38152018ec1299b6abe4bc277ee4

C:\Users\Admin\AppData\Local\Temp\AoAM.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\ggsK.exe

MD5 7feb4c626b8abc7701a8bd5189656063
SHA1 26252731a4d402633cface8e22cbe2545ba25187
SHA256 2b711f6817ff82b4fa13841d7ebef871e1ac90631ce002bcc1590bebb69a7223
SHA512 c62a696bf2da309894c4bdb8c5cf5ed7c3fe73e008fde62e6007b32f46dd0fb5d74408d70b41ad2d1e2d03a9f695ba708593f828b6e491a3e565219766187703

C:\Users\Admin\AppData\Local\Temp\CYMI.exe

MD5 8833bb0066c9f208a75b89b634c5c9a1
SHA1 51c2254c66d104fa6719166dd33abbf187d67bf3
SHA256 30ea1f5750849bd7a0d0087fa835f0e5639d8febcb504c236487ab269bc0f4cf
SHA512 4fc004375ec5b6c3b6f481d4332d0204818701247e383e577701af553b821cb75580a88b658bf14480e1325ac52d587590cb134ff42548fcef80386f4a4d349e

C:\Users\Admin\AppData\Local\Temp\AsQq.exe

MD5 b1d8be21fee6e4152592fff79b099b1d
SHA1 0c0543292211d874ef93bd86622b0836b7583677
SHA256 69b807155bafab364fea6b2a9942d46c0f50ebb1b306850fefcff94bae57679d
SHA512 668f94ac3751c86a710509a046d2ba2f05962a8f6d4d9beb6675a7de50c478fac5fad4c64ce37cfc480a9bb1907fa5a2d80fbb8295cb419ccfb0cdf2696617b5

C:\Users\Admin\AppData\Local\Temp\KYcY.exe

MD5 ed5a338773d541b85d7393a98d7a50f6
SHA1 cfa1484ac8d913341dee7ecff6df4b9ef30b5341
SHA256 9c77c09745071d00a03e82d9ee4f46a9f15360ca231dcd183d703d31a95e296e
SHA512 9ff957728f4bdf182775dcfe715ef573e85600b614e44bd365c097d3ee7d35bd87a76d320e0f831576bba052a4b3bd8d20d15df64246c785f6d8e913c2e1f7d3

C:\Users\Admin\AppData\Local\Temp\UUse.exe

MD5 e1be2e29690c9f172306152697b4d2e8
SHA1 868875407f4450fbfc0fcc89d040e9c425a4a85f
SHA256 e65953621a2b424244c227587e3b7e3e3dbf4408b41c445cb8257dade99b3e06
SHA512 bd76cbaa49060c906bf25e245274aa24f22eb25478b90ccb1257b27f8bbe56c4addf5e51f34ebc98a4ee790f597d3c9611651881c7b39e81b14c64e56cb2a2b0

memory/3452-1702-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/3524-1705-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

MD5 ee81fb914f0cfe46be77fe93cee88cb6
SHA1 78eb805f5ff25b9f9c640a65200197364cc28a9a
SHA256 bfbf07fd3d6121421cd97fa790b921fbef53a9d8a9b0bb4e6b7be5fd9e731d68
SHA512 69a08fa531d4b16ee0899b30577e1af772bd0d81baa3d3cababa58440c7fc63be24f65b28e4c67be5769bf329f5f202e36796c22b4129130d07ad977b222ef0b

memory/4184-1711-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2744-1719-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/4448-1726-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/4468-1735-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/432-1736-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/2744-1744-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/4220-1753-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/404-1756-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/4468-1757-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/1572-1758-0x0000000000400000-0x00000000004BB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-18 11:44

Reported

2025-05-18 11:47

Platform

win11-20250502-en

Max time kernel

6s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\OoAIccIU\\yEIYoUog.exe," C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\OoAIccIU\\yEIYoUog.exe," C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Run\TkAYksMQ.exe = "C:\\Users\\Admin\\McgYYQkU\\TkAYksMQ.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yEIYoUog.exe = "C:\\ProgramData\\OoAIccIU\\yEIYoUog.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\McgYYQkU\TkAYksMQ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\OoAIccIU\yEIYoUog.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\vgMkAgMs\yGAoMYMM.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\OoAIccIU\yEIYoUog.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\McgYYQkU\TkAYksMQ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4024 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe
PID 4024 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe
PID 4024 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe
PID 4024 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\McgYYQkU\TkAYksMQ.exe
PID 4024 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\McgYYQkU\TkAYksMQ.exe
PID 4024 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\Users\Admin\McgYYQkU\TkAYksMQ.exe
PID 4024 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\ProgramData\OoAIccIU\yEIYoUog.exe
PID 4024 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\ProgramData\OoAIccIU\yEIYoUog.exe
PID 4024 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe C:\ProgramData\OoAIccIU\yEIYoUog.exe
PID 1168 wrote to memory of 5900 N/A C:\ProgramData\OoAIccIU\yEIYoUog.exe C:\ProgramData\OoAIccIU\yEIYoUog.exe
PID 1168 wrote to memory of 5900 N/A C:\ProgramData\OoAIccIU\yEIYoUog.exe C:\ProgramData\OoAIccIU\yEIYoUog.exe
PID 1168 wrote to memory of 5900 N/A C:\ProgramData\OoAIccIU\yEIYoUog.exe C:\ProgramData\OoAIccIU\yEIYoUog.exe
PID 3032 wrote to memory of 5176 N/A C:\Users\Admin\McgYYQkU\TkAYksMQ.exe C:\Users\Admin\McgYYQkU\TkAYksMQ.exe
PID 3032 wrote to memory of 5176 N/A C:\Users\Admin\McgYYQkU\TkAYksMQ.exe C:\Users\Admin\McgYYQkU\TkAYksMQ.exe
PID 3032 wrote to memory of 5176 N/A C:\Users\Admin\McgYYQkU\TkAYksMQ.exe C:\Users\Admin\McgYYQkU\TkAYksMQ.exe
PID 2924 wrote to memory of 5280 N/A C:\ProgramData\vgMkAgMs\yGAoMYMM.exe C:\ProgramData\vgMkAgMs\yGAoMYMM.exe
PID 2924 wrote to memory of 5280 N/A C:\ProgramData\vgMkAgMs\yGAoMYMM.exe C:\ProgramData\vgMkAgMs\yGAoMYMM.exe
PID 2924 wrote to memory of 5280 N/A C:\ProgramData\vgMkAgMs\yGAoMYMM.exe C:\ProgramData\vgMkAgMs\yGAoMYMM.exe
PID 5728 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\ProgramData\OoAIccIU\yEIYoUog.exe
PID 5728 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\ProgramData\OoAIccIU\yEIYoUog.exe
PID 5728 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\ProgramData\OoAIccIU\yEIYoUog.exe
PID 4256 wrote to memory of 4832 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\McgYYQkU\TkAYksMQ.exe
PID 4256 wrote to memory of 4832 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\McgYYQkU\TkAYksMQ.exe
PID 4256 wrote to memory of 4832 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\McgYYQkU\TkAYksMQ.exe
PID 2736 wrote to memory of 4320 N/A C:\ProgramData\OoAIccIU\yEIYoUog.exe C:\ProgramData\OoAIccIU\yEIYoUog.exe
PID 2736 wrote to memory of 4320 N/A C:\ProgramData\OoAIccIU\yEIYoUog.exe C:\ProgramData\OoAIccIU\yEIYoUog.exe
PID 2736 wrote to memory of 4320 N/A C:\ProgramData\OoAIccIU\yEIYoUog.exe C:\ProgramData\OoAIccIU\yEIYoUog.exe
PID 4832 wrote to memory of 4316 N/A C:\Users\Admin\McgYYQkU\TkAYksMQ.exe C:\Users\Admin\McgYYQkU\TkAYksMQ.exe
PID 4832 wrote to memory of 4316 N/A C:\Users\Admin\McgYYQkU\TkAYksMQ.exe C:\Users\Admin\McgYYQkU\TkAYksMQ.exe
PID 4832 wrote to memory of 4316 N/A C:\Users\Admin\McgYYQkU\TkAYksMQ.exe C:\Users\Admin\McgYYQkU\TkAYksMQ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Users\Admin\McgYYQkU\TkAYksMQ.exe

"C:\Users\Admin\McgYYQkU\TkAYksMQ.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\McgYYQkU\TkAYksMQ.exe

C:\ProgramData\OoAIccIU\yEIYoUog.exe

"C:\ProgramData\OoAIccIU\yEIYoUog.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\OoAIccIU\yEIYoUog.exe

C:\ProgramData\vgMkAgMs\yGAoMYMM.exe

C:\ProgramData\vgMkAgMs\yGAoMYMM.exe

C:\ProgramData\OoAIccIU\yEIYoUog.exe

WYMT

C:\Users\Admin\McgYYQkU\TkAYksMQ.exe

KFNR

C:\ProgramData\vgMkAgMs\yGAoMYMM.exe

LDZX

C:\ProgramData\OoAIccIU\yEIYoUog.exe

C:\ProgramData\OoAIccIU\yEIYoUog.exe

C:\Users\Admin\McgYYQkU\TkAYksMQ.exe

C:\Users\Admin\McgYYQkU\TkAYksMQ.exe

C:\ProgramData\OoAIccIU\yEIYoUog.exe

WYMT

C:\Users\Admin\McgYYQkU\TkAYksMQ.exe

KFNR

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock.exe

OHBL

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
GB 172.217.16.238:80 google.com tcp
DE 144.76.195.253:443 api.bitcoincharts.com tcp
DE 144.76.195.253:443 api.bitcoincharts.com tcp
DE 144.76.195.253:443 api.bitcoincharts.com tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp
GB 142.250.187.206:443 maps.google.com tcp

Files

memory/4024-0-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/2128-1-0x0000000000400000-0x00000000004BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlockOHBL

MD5 9134669f44c1af0532f613b7508283c4
SHA1 1c2ac638c61bcdbc434fc74649e281bcb1381da2
SHA256 7273854d0e9b34a60907bdde8293415a0f6edd6b8b1ef3957fcabd584be869a2
SHA512 ada8e9c829abcba64641eb0a937c317e2a81494545eaeac4f909395ee739f8b519e331eed7ff67f5960c18029b1a48906f1bcf438f7e3a1e8c13b78fe8aed232

memory/2128-4-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/4024-5-0x0000000000401000-0x00000000004AF000-memory.dmp

C:\Users\Admin\McgYYQkU\TkAYksMQ.exe

MD5 81cc353ed8d759d0966d524dbdb31dc0
SHA1 bd1a3b592e660c51548061f4c72b09fe86f21909
SHA256 b997871c50abb9eca9093f59bdecb3703724142fe2197f2efa2b213fca1346f8
SHA512 4869f38dd454cce67e0f9a2ebff097ca669086628c78cff8ac1f492f23cfc969fb7aaa5abf0c41bbc7c99ceee4eb8f85948fdabfdefe1de4fe1fb34d94c83209

memory/3032-11-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\ProgramData\OoAIccIU\yEIYoUog.exe

MD5 c27eeb25a9469f6292de1c30bd9194da
SHA1 5665f88c5976bb8f01f20f2312254ceedfcb2c77
SHA256 39e27c22ae0b734fe68f2ada916badd1e4565459a01769830b4b1e642bfe78a2
SHA512 c15b489af1055d7a52936603cad890b420514d56fc0e6c1bbdbb53a1e699191ea94e8dba1ad1257e9a52743661555ed3d15b92b47841be96839cdd9c68a21137

memory/1168-16-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\ProgramData\vgMkAgMs\yGAoMYMM.exe

MD5 cc73e98127c1b7cda65ebf4966d76287
SHA1 cadb6fa44fe38ab445067450b2ac42d3809ccced
SHA256 54540c87f93382a6e60d427928288c553ae70d962588269267ef69ffedec2783
SHA512 f03105533c201fb19d506ca0d9599dcd8fdb581afb05ef10999a4d9fdd94d086491b624cb324acde6e99d5ae51df8dda02ec4e38b4f75130c213f38d1d192333

memory/2924-19-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/5176-24-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/5900-23-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4832-27-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/5900-30-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4024-35-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/5280-37-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/5176-38-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4316-40-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4024-43-0x0000000000401000-0x00000000004AF000-memory.dmp

C:\Windows\SysWOW64\eQIW.exe

MD5 a5791bdacf2860d6cf2e61a707c9ad34
SHA1 a709f0491faf2dc693d255206a73d3f6f6f85908
SHA256 a04a5effd11946b32f850e29b76f14be255a72c7f311337a2940794a2f7ff87d
SHA512 54ebc3e4be34c65949af412ab39f26007ee3a4b8c4d18c1be3affde7c47435d14fbb0311f8d6510f230c72f638ad526d82bc5ce2e286bf6dd7936bdb3fda1d0a

memory/3032-66-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Windows\SysWOW64\MQMY.exe

MD5 dc721d6d9f54f41ecb3e2abf8e2bf56f
SHA1 c4ffab8fe998eec595fdc10305b4a95d3a5e9732
SHA256 e8fe8bf72509cc23660f97a417a8732adcd66aa7ebc583cb16f1fa3d1d0ccc14
SHA512 0b318ad8c47e2fe8f670f68f5df61e34720647e5879f44e204999ab744504fd00c99ca556bad1ba2f47505075e49fb69d44fb93f164602382c8261169db4004e

C:\Windows\SysWOW64\Ykgo.exe

MD5 c78d08b9e04e8840a34623f3b8c29b19
SHA1 1c66309839f56678d44b57f16cfa54e913907020
SHA256 eb5b51bc1f7e48f30d7d6645114d0e32cb302188cdc8bbb4367c377815c053a3
SHA512 4d0901e38a96bf9155fa5f589ca1a76072ea825435ac6da1d94c5dbd3f8ec09f4612a174d86e7d196a1e13cd8acf4f401a0911f6a80db9d79f24fdd9e5cb0562

C:\Windows\SysWOW64\CIgA.ico

MD5 9af98ac11e0ef05c4c1b9f50e0764888
SHA1 0b15f3f188a4d2e6daec528802f291805fad3f58
SHA256 c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62
SHA512 35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1

C:\Windows\SysWOW64\iYYY.exe

MD5 166e5131b7b74f32c0bd5a863cc6067e
SHA1 9d23dc6809a2d4995d29da630efedaff90a8662a
SHA256 a8595d5ba926ec6b80590326e0b2cbc044ab2a70f539364175d823d3abb6d507
SHA512 ac6b1434f8232860183f88af0395098fa103209f99c6cefee69bad482f6f89d5acbba13cc24dce0b5cd0becbf1ce007d806799f76677a01948eddd702e7dc5bd

C:\Windows\SysWOW64\ikQw.exe

MD5 8e5f9e7e748fe2d11257daf2ea982c18
SHA1 3dae45a5e61218395a2e251cc7b5d1173d8719c0
SHA256 d57113fa6b8fe7d4ada1d09250dd6c73a44295db8ba73171fc9aa7e8dbe94df6
SHA512 0ce448c44887564f540411a4a98f91724e99a1f9606e3006540e2a01276ced344816578fc999651f381dbd1def9cea96b15e986615ddc37f93743979f8c5a727

C:\Windows\SysWOW64\cYwi.exe

MD5 c91ad2ea762874f75ce142ba3b356cf3
SHA1 5bfc8a8bd2e69bd3c66f6c3287cf76e8f1fc5825
SHA256 dd02beb41f5736f4022336ac01a78666f30c6a526add83b6270c710ed9f4da10
SHA512 fc5590b8bb4db2a480285e72d943ca7bbe95f0d232f8876915251a25dc042c4e0741db4fba3c42210cf246938068d6a68cf78a7309d4ef60446684b1e43a958d

C:\Windows\SysWOW64\Mgcw.exe

MD5 2273027804b2059b5b97dcc9a4cbae52
SHA1 25fd839e13e0e116c67632f405ac1dd15f61c4b2
SHA256 4ee5ddee578d899c059742a9f91b1e82eaee8d3af33d7a44fea81ddfe4a0cf66
SHA512 484200751cb3dd9d651e51b3d3863e0373537838ecf142e990e5f98d349dbec2927b920f7f4881a892542758ed2639739695391c8c5dc383d632bcb51b7b6a02

C:\Windows\SysWOW64\YMQO.exe

MD5 5a206f8c05cdad659c508fd8da7e79e4
SHA1 8c923f2bddd3358d2ddbeacda6b27e8932d033f2
SHA256 9fb5c4c9faf35201522b990bf8bd6dadbe1900f836d6fe0af082bdea072585e0
SHA512 33480446634a223eea49782074822cc6f8346234d8c838d332d967f29899c33ac8b2834bc187c38577ed9d72e8ad7d094cdbb78623591fcb4842646fc8a9cdef

C:\Windows\SysWOW64\IMgQ.exe

MD5 828145a3344a56e6988256fbe6892524
SHA1 f01a7ffca2b1166459161824155ce042ebebf113
SHA256 2b3dc340087b80cc8c639ad72f33f424bbd5172af6cb5a2ba0edc3cdd2377f00
SHA512 43c7364c65a121d581691eb1190c938e822d84cfbdf96f1c9e84b828ed17689c9977baeb175f2da389299eb6c1d431bbda79e4ec198d656e05fd89516b752811

C:\Windows\SysWOW64\IcQG.exe

MD5 54f7ebab4bdb3cbb9b86f8bff351ee14
SHA1 057698fb313f4de0027bca77576260da234b4fb2
SHA256 284b7cb737dcd76826be8bb4fb8325d195785f62fcb2a2be44a2d995437aacc1
SHA512 1c2977a032fedc81b717b2d8cfdd7744e762de6c7980848ccab47fb457c214507798ec38e085f65ec46e99c151800b18f247d887932b3fc6f01eeb9d6ed97731

C:\Windows\SysWOW64\KEMe.exe

MD5 162e6aaa4318485c75dbf39595d680c9
SHA1 ef74bf0df46a0ae6c596250d865013ca842bbff2
SHA256 0f3dc7045bbcfc308b0a84b93731acf4d09d066ba497e3de032744678d2d390d
SHA512 e3152069fcbd7024ed8fefdaa050919b69d1e298d7d6e2c2363f2bdac714b106155b338d8af8bdf2aad483cac7522b62861be7ea8a9ee9b8a3a79eb239b4ab9f

memory/1168-188-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Windows\SysWOW64\kwEc.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Windows\SysWOW64\iEQO.exe

MD5 0e44b955872d900cb030d0b5f9b7ddd6
SHA1 acac4109e61f324fe9321186b3f16145aebb3c49
SHA256 31185ef0f272fd9bba97a9556f65e2a983a0ac37bbfa358d55ac95420f6b68b0
SHA512 bfb2faa9597b14ce9ea7a0d64ec6ff717783fa2f91886c87de15c2128265478ce56749a4529c47d125df331c4c05c8e506630c9f615397df14a21624ffd97fad

C:\Windows\SysWOW64\wkEe.exe

MD5 3fcaffbb6179a130809fcd905c4bc697
SHA1 b67a0eede86f422f503c11af5bf1cb2f5935833d
SHA256 6603a968fed5bb145011c2b3a9a5d03acfa69a954c26223651dfc8a6f676d071
SHA512 0b2a3641f27f3886e756e254d618cea15df565a3c850279f66b7e54d06485bb1d01cf198923d17c4c4ed5209072faf4f26c31f03ca2ece8e70e22528314e8510

C:\Windows\SysWOW64\ssAK.exe

MD5 01e52bbcc7205c0f7578c606bbdbd731
SHA1 d9c6e541b69923e7824e33694927fe1fd601c2db
SHA256 35672175acdb04a3c8850259de61ec1a430488a3e83c0400fcc29be3e5fa96d3
SHA512 2085ad2abbc22acfcd436934a5ecff66a8dbd951846bec4bb184508ffd1e749b36dc05b2195916f0e1cc1ccf588663ae89fcb408af525e2cccc3712fb4202d67

C:\Windows\SysWOW64\KAYy.exe

MD5 8bb4fbc53e816d1d9d61e64e1f17c5bd
SHA1 6183cb7dce9b764cb5121d673210991d60102d65
SHA256 e0e296ed7fb0ad298e4170aa6cc25ab266add85c08a0681f89645b5c872d4bc2
SHA512 89eff4b72caf8324e4234ac538f226d0e87ba788640b75baa904025868b9e7cc440d347ff36de5224d111c7065883f6ff66aab39fed9101a549bafad63050c23

C:\Windows\SysWOW64\uAUu.exe

MD5 858b1200426df99fffe8cfa66498ccee
SHA1 4d49481d44cdfb85dc6217257f134a90c05e81f9
SHA256 09d552744ddb2504b412d8fd6df713a1871c388c8745ac9750d4c8de7f72ca0c
SHA512 839dbdd1604d2a09f10c8e90ee2485d281f272baa1c48b9b5e7b8273006be7acea38011c2b36a7aa848044e216f00c0d808b57b48079b532914e345c5b5e77ae

C:\Windows\SysWOW64\oMgG.exe

MD5 7ace37d7d0e485371a492a64452a42d3
SHA1 246adf468a5f246555947022da0793407d59a3c8
SHA256 ef18184bbc98ac176c10363b6eabd8321585e293dcf0bbada0799cf8d0fee1e7
SHA512 44b001bc59d7f977c774d646e3a066841e982ec68795021965fa82594a44d57a84c6b79b3780f32dadde88c97ccf0590b63b371d13019c2878b7d89bc3f3784a

C:\Windows\SysWOW64\mkAs.exe

MD5 7a6f6c37da144b362e5342259a42c13a
SHA1 de6199527ad84a76dd702da06871d72ba6143c4a
SHA256 3db7b8b42fe42ac3c7db2447483df5521770c55adde07976a497fd918c73b729
SHA512 5aae696e68ccafea47b5e9da52a49ac22d6a85529a3d8edd41274e7a56abd2696988f437137bff725f01c84fe8baf3da71d63f42642f93f3fe4abbd6c4609c3f

C:\Windows\SysWOW64\sAwM.exe

MD5 8a4b69d6395469b00b67fa537bd5d373
SHA1 c763dcd719da42cfcfff52a25a321980d142a32c
SHA256 51ae68dae59ac8a88e1adc298e348384c0cf41449bbb19f2b8f37b70e2f76f8f
SHA512 e58079759131f4b8150404ec98bb8e5b4508f3ee7de0dee16b0d449b8c0d9dcab5c68ddf8620477f410d0db33787d12ec340a20c81c4e4af7741630eb647dc79

C:\Windows\SysWOW64\UkEy.exe

MD5 4ab659fe0a288d888227b8b49f0c637a
SHA1 d97042776aa025175ad53d5c771f2c2ca897a39a
SHA256 4b5c4eee7219857e7d5b849d68e4f78d317406c555a05e4947a5eaf3cfa94b40
SHA512 fba61a17514dc50c47549f41f101b52fddbdbe49ba7534b5e76819c38abc89104e34cd34fabe0379049d7c33313cdfdde3e8cbed57c7c7e07cddffcc38b2f8df

C:\Windows\SysWOW64\QEAE.exe

MD5 6ea2f6f9ec0e9cf132f999dc14da6cf1
SHA1 42f560099766528953c9948fe8a1825f4c99279c
SHA256 43df83fd255593aa726cfd068e5bd8cabc33d688f8d5a1a75510c24c07b0ee39
SHA512 b337590bc37554c96a7a3445d55f4811e97c0578ea8c24b544059ba2acc7b5e3d7d9d7287cd5fe5bbb2335dd14a4bba75f897ee61b1a0731821b41e3336c2798

C:\Windows\SysWOW64\igkU.exe

MD5 2997ec9e9dd733a36158be8727cffd05
SHA1 c920717e8023e4a372d00ec5d51ffecebcb3e8a5
SHA256 71c28447485215e71378b69f846eb7de9d255ee42a0557441f5c413de9754f75
SHA512 186f96080947e30b81dd775d193a7c206e0dbdcb7afe43afc2f6d9b1e13435553d8944191f9bd6e389178b1fca38ea464355d850f4db227ed0f3fd22208137bc

C:\Windows\SysWOW64\Cwki.exe

MD5 d70f5c6557b26927cbe2800b0a829f52
SHA1 7802d601bd2180082edd3a0b528b278d2f05cf94
SHA256 85de4c9de00c5dc818ceee3d746783ec5efaffec2548ca385b3008b23a1e075d
SHA512 f0c7370ed13c427ad905508406bf393cf664a859f2c31b08a2038274b97fbc39eab3644e20375062f1813155ec0de4399a5bd45b4f2bc74ed067dea9fe7d52cd

C:\Windows\SysWOW64\wAoG.exe

MD5 1063128f372a26ec72443a65ef535472
SHA1 8ee9b73a4175f847d41839dd7350a6b337eaf47a
SHA256 8c1a9acbb38133e44b9c4c74cd9cfc9d4d543df396cd0b1b433dd7d1b7419229
SHA512 6622562d903bd4835bee98e514f2f78ecb6c1e4ad995398cbe653e166acd478e3510fba153f602a585172cb1d9db5eef8d3b013a4b631a578576a13a93ae5b3c

C:\Windows\SysWOW64\EccO.exe

MD5 63c3730f44a68f8a05e1aa875e6ca7b6
SHA1 2d30536a021b3bf67fe1582737832b5f984067a9
SHA256 368270f4e6185607ab0e6d6a2d06d5c0910f50e1d4cd0145a0d3ccd71806d923
SHA512 df1edcbbdf35f41581d4e10d45b8c2fc21b35c2bc82b9f6e3590c3ba8a9d711c5530f4e2f0f0e025daa4501b85cac6b3f049420ae5c004127e032d28c4a3f525

C:\Windows\SysWOW64\IMok.exe

MD5 1d556f54ea631511106171a789371a0f
SHA1 93ade3155a28d0bea4ac31165682ee3967c84bd8
SHA256 ec5031920dfed7a8cce3e90d845bb00226ac44ff6cbc90439d4a4280e1519528
SHA512 4e64f61eb11a49af28fec918cda28c561bfb13b35d68120e9320b0a52523ad6024b6126bdd896db64bf4967da5cd4c6197f471af860ab503875db21028f04974

C:\Windows\SysWOW64\AMAo.exe

MD5 882b6a3fe121fb300a42a5c890823e92
SHA1 d0044cc1ca027c855259616dfc73dfb6ae734f8b
SHA256 b7e0d2ba8b02ea9c28a3cbd5d3e66900d9ed8a245146650b392d1841485f70f7
SHA512 214ab96a66776910c8d2cb12459686d7d6a07fc912af50d6d802ad31161caaf9d36c85d5926a09ac809ed747273d4a5316834c3f11c420caf8cdb901bc17d321

C:\Windows\SysWOW64\gEwc.exe

MD5 838f3a9f46fa092107ed29c596eb4419
SHA1 400fbd0e565a26e94fbacd7c7a0731da04d60002
SHA256 42016a34df1ab4e50ea1299f9e82d2a3a17f47ee99b4636a991dc54c40d97058
SHA512 c756ac33a5676df68480508715a9a89eb05bbe64313fa234457d80572db70a803dd59c36bcb84355225947d55b7ad59e775185537d96218197801e6b085db27d

C:\Windows\SysWOW64\MoUk.exe

MD5 9f9f1dcf9bd4d627eb8360497c1ebe93
SHA1 f42577281e692035349245cc9a2a275ddbd5e229
SHA256 1090b8f9e6a0c9d4dabbdd91ebec5f43ca947ba7ccc56ca07c99edf60b9380c3
SHA512 0cdfe3b24cda38a0bb0f51aa232651e16558b79b7512f584756778e45561abf8f8bb58116a6d36b0d8e4bf56ca44a4868565b25f0a3f924271bb8b8fa5291105

C:\Windows\SysWOW64\qkUs.exe

MD5 b8e88f6477e261c2728f52ccf0bb4d48
SHA1 221b6c3733b93d79688ac3eab596da07d9af973b
SHA256 a921956d56022f9aa1f146a478df7162b7c6aad73d763c3fa238a3004a87c082
SHA512 27f47b25d397a696cfa7a73f16056629b0d903c5b17ef0dfefab16876ff1e1c70e55c6f0de9a3e6ca8d2261ef90e8177400ae40c3212ff9f2218e04a198e1496

C:\Windows\SysWOW64\KwkA.exe

MD5 ce4b74c436c925a048c8ef7607ed6662
SHA1 2b0e3e846079ad283ba17d56d50da7be3cdeb061
SHA256 59adb2fd7b9c46bf28f293213ab668204b3a7b864a3396c8393de89fbd57b0a9
SHA512 c33230066ad72aa78167c60a5b8bd3c168532039dcebc9af4c0711c4af2fa57808a12f9d1559a31edfa62683bd66ad44f5a97b3403e7044b6a3eb953790346f2

memory/2924-493-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Windows\SysWOW64\OYQK.exe

MD5 f7ba529a0fe3e4e0e7a359c9db214548
SHA1 aef78a45b34ba9649c7e0b5e64b34109a11ed2b1
SHA256 a5348206209949b914c3b96e6d5dd67210d0be6806877c787519a409305baea0
SHA512 481dede883ab01173442059b9262186b3170ce67f95ef20596e27fcdcabc207b9d8a4439843e4d6ca5b5ec79e39b4579539725a33e7059d25565eacfe9d31dd1

C:\Windows\SysWOW64\ugwy.exe

MD5 6f3e70c7331ea2830d7de5574c52d796
SHA1 45574ee4c2bb4f90c618adb27817c5435d1eaa9b
SHA256 fd0c75daabeb4ba4284bf38bc2597221dd9bb38900ac1bee1f9ac9698af45bd9
SHA512 3b802aab5428b25136e225923bd654d89bbde130d034d1ef6dfe66c3794dc1b0bb2b10e0f014d9422760446c5fefc428355f5a627f758d055ee857d577867dfd

C:\Windows\SysWOW64\AIQg.exe

MD5 f7869356b92a23b04ebbe4291f659d51
SHA1 d0f43acaca50944f23555636706ae3809b138593
SHA256 b5e342272d7c244844eba943c316b5051d5bd59e8406c0fe7d5725a0182325e0
SHA512 c8c885dfc6bda8d0b14974c10cc857f1169905525ae2e94ed4c6844a5d76e98a72fd2ecca8893fe32bf4bf4a8bb47a93a72c1b979ad6fc15a47cadba22279cbc

C:\Windows\SysWOW64\mMsq.exe

MD5 8fa3ee251623d223d9313e8dbf319e98
SHA1 f03b110a8175c5bfc15cd6d7d1418e2a5dc36c1f
SHA256 54a34f4fd9f6bb9d71d89b7bb314f8182f0d7b533363e9c12e961cad14ba71b9
SHA512 9798b7ce4adaf384fc161ec69108dc92734fbfe8f542c668a55555888b13bb05b798624eabb812923ac3c1600cc49bd2745893d60206259a187d5d8337325e70

C:\Windows\SysWOW64\SEkE.exe

MD5 1607bb4bb4d2c87490d0a2987d063ee1
SHA1 9eacec337fa5b41129d3964df9df3a42adfd6ef4
SHA256 cdb9c83eb40045ddd7fd034b1118ea2f61f45ad67ee85612d7416519ed9e4da9
SHA512 573e8ec519de6d910fbcffa58f0ecc8480a38374ea8b1ab71e84660d562b6ee4a0cdc5520c0c26fae7e3a3ae0d4b38cf71b46daea3666e2032264a34d352b59a

C:\Windows\SysWOW64\iUwm.exe

MD5 418a9fb45de2f661ff43b56d8a4e8703
SHA1 eb99daf85ed9fbb1bc87e5cd0510ef720c9124e5
SHA256 2c72a47e715c664bc936304c8fe18ef6b201f579b83d70966f7287489449e37a
SHA512 57940fa59021f611e21a55afd970cf85079869201958c6620c2dc1e6dc4f44d5ea66df41f5edb9c0224026fb2c5d5a824dadd32a03effb182d3400ccf25a504e

C:\Windows\SysWOW64\YAsu.exe

MD5 a16235dcc2408f4c56822e8263f6d005
SHA1 48aa97d03835f00961c66b42bf7dff132a2d8306
SHA256 c2a6fcd37ef4a64ce34d2c19aa4ce489edfa24f8fddc6d5ddaddb544aca30f01
SHA512 b810408d6ef730d5b98e36eb50b792f1d29ae9b6f3dabaf08af32401702811c3a47f7cbd52fe232baa99e7bdfd4887e7216870c60052be29a9976327ac9a5dd4

C:\Windows\SysWOW64\kAgG.exe

MD5 65bdcf23e9bd2553a57d50f33b960cec
SHA1 b0bb121b9add1fc05f41ca746fb62aa967387d82
SHA256 b0081838849e7898e214c27a052530e0e127205e2d1b7a9f3156c9f3f4b166ed
SHA512 a2ac4ed4ad6cc5b21f290283b754d2698603108d85cbd6bd756b65779b668367f6802b3f9196d1faf6011700ff2d2f55e9fa93948f7b404d1b3080a678895423

C:\Windows\SysWOW64\Kcsi.exe

MD5 fb768068f958108d9e53b33431b0db56
SHA1 cb9cb4eb023217ba08c158b67e55bbb7fc03b2b2
SHA256 2782539d326d150466ec2ebef3cfaa9ffba3da90071480c4ac606db4af171a03
SHA512 dbd7270489b20172a3d742c3d60aa2f82e25b3de224af1c4d43d1f35410829e2ed850b836f4f32417db5186bd5852790c3901664d8f5b2d8420374745463d697

C:\Windows\SysWOW64\Gokm.exe

MD5 e829fde361648b2b157af5599dd7f1fb
SHA1 0ae67c406a5925860ade0e8996f79997a378d194
SHA256 d245af26a0a8240a38cca3b4bc1908710d4b2e96969ec48a9db3c082a39e08c3
SHA512 6c3da86818eb0fc4274d078689cfe38d60d53dd476e5db599ed712b93603d89277eaa469998c1399503e7b0abcdd7f39ebf06381f56737fa95a62bdb55894082

C:\Windows\SysWOW64\cgwq.exe

MD5 933d05b59ae5d06d3f8d7e3066bd123a
SHA1 ecc35b71b7fe7da158d5cb6a2bc6448db90e19c6
SHA256 0cabf055a175185d2bee18574b86a9612d6fe6f9fbb266c250d40c4d28a809ec
SHA512 d3dd7083d312c3097d806ca96913f6e03746668c9c3774b1b15cb6a4263b185eb5637666868d576a8e4eb3d216c8c6f466fdc118df389dae1b5050181581f8a9

C:\Windows\SysWOW64\YIIa.exe

MD5 c977ba30125e12c2535328000a72b9e6
SHA1 4ee3c2a97784754a3fe2d892ab5b68d188db82a9
SHA256 f04eab1c9ea899f141920f60ecf57328b9c7661d890cf6612ffbc2acad586477
SHA512 550aa5657cd1d2f1dbfaef77644afd53395faa60514f676b4a6c54c249c3528cb7eef058d4e8ae4c1116a44bc94ab6adc5e6adb7111221eac7dc99b36a41e84a

C:\Windows\SysWOW64\ykIg.exe

MD5 a68db3e90bf4fe3d89b11381d999b1d5
SHA1 a18a78b4b40764c05214726cef676fd80189eed2
SHA256 8988b27a14fda7ab07bbe733d16e6215ee7554e3bb011825869a03870d38be33
SHA512 df15044c1d485892d43f49dec94a4d2af00b96e4fb41752246a8feba1c8fd288d4625528a4e3b50e7a1de2e53008b03c6ed861d1945f138004dbfdf59b7503c9

C:\Windows\SysWOW64\YUMG.exe

MD5 6345e3742dc0416f0bdd21239bbcfe8e
SHA1 959e1d36995083bdc05e5869dd093563f58a27b1
SHA256 17f5375dcb0ecaf681ef2e70eccddd29c1b5372879f591adb13061fd5d07fbf1
SHA512 a2c9984619adc6a4059b0aa9873ada210189dfc36e5d55b343a4c763957b202a47a1b793d8443f96c36a0f1d3957cb9b38637d98be537a82c922e068576be2ae

C:\Windows\SysWOW64\WMoo.exe

MD5 b73f69a2dac9bd91346f26f53ef89fe8
SHA1 63ae499b51cedf09e1a5d1d8668d2b766fa68d8b
SHA256 25864ad0177b62e71983906449daf355d6866aff1595668954d6a724028216bd
SHA512 676d7ce3d60ccb04400e2bf2f1c3ef033d3a66e7bb968c90cd7599399edb66481e5514101b2f39d61760d48555785654dcc6ff0322a9dd081086e75dd9d3bd3b

C:\Windows\SysWOW64\YUsQ.exe

MD5 3a5fe8abee44a8e5941be44496cbf84f
SHA1 ba9f2e94f1094e9b617904376205fb05adf79730
SHA256 03a7a3a41ff482ceb3015b8dacfea06255db8f3524d59a3e16198c12608bcf30
SHA512 3430183441cc8bab143a5298222579b28e2464316694fe0091e35508655b8e58e74326c524babf8aaf2c4340e4ed8f993a7fd2cac957c99da9af1d27edeb51f7

C:\Windows\SysWOW64\QsAW.exe

MD5 b10d3077a0118adff4ebdc63a6b7cc74
SHA1 aa06f93f8f913c7e1bf2d2c9ae82cd7f3c79393a
SHA256 c2c8a03feebb08fe5f7c7692819a977150a52a5750b1a916287526d72f364eac
SHA512 07288f254c88bd59b496a30652ba1488d7a1a997ff862154d9202810e7fc05fcb295968cea940d978e2117c1e1f97821b47c4cc9f89b3cb95d7171b0c0f2933b

C:\Windows\SysWOW64\AsQo.exe

MD5 2b99d2e58cb5a05db134ec50d13234d7
SHA1 2587be2bd3b88bb58caff6e7a4150893e01c869c
SHA256 0cb66973de87e5ade4bd65531f47452c2cde37693bf7ace75d8455612976d707
SHA512 8b003b4bd1d87055e70b3153fb851ddea09e6b2729ab551aedf798a5c10ee9912be2e491e75341648d21a0d1c01eb02feb388bd4239e3aef06f7a158ae66ddbb

C:\Windows\SysWOW64\EwIK.exe

MD5 269bf86615679f0b8377434163e91a97
SHA1 84c9a51f5e212d1c97653335a9a8e714da1a8ddb
SHA256 1459eb41ac94019c5ce438ed85c6fe330535b5186ec745a91890b9caeddef879
SHA512 17283ce397149d284e5313bb24371185768dadf56d3d6eebf27a47ddd0b0dfefac09ea70d94461ab7b14bcd8f4169f7d4f8f12396aa624886a5744b71dc2fb02

C:\Windows\SysWOW64\AEMm.exe

MD5 170aecaad899eb76dce674a578d78b39
SHA1 c01439e0fd0154e1df4e84c43cd702c54cf3d5cf
SHA256 80441a0802029a3f5fc57f5e9044f15ca685dd798225fb57ea7422e6a0ad116d
SHA512 ef606c7dedaeb32f0a05b517cd6c99235be0bb99bff79468fe7a4f118d19c5ecadfc3d8c27e5616715e44c062ba3afb11f2e9f13e48afc93413ac31b8dbea289

C:\Windows\SysWOW64\YgEK.exe

MD5 ecf1f9943ad9a1b940861c9dfc6c4425
SHA1 415ac5aaac73806969b86c46ce1a2dddd0a9da9c
SHA256 b08d9972ebc257ec5d36f2a4b5adf73e69b91a5b98445a4261b7b927e51fa5d8
SHA512 c97c492c17910be21a2393e5c70e1d257d27fa35a10550f4036f27f258d78478fb471dea7a40aa826c2fdeb4ce3b5b5dec204b3f1ea5bcc373aa327c994c4869

C:\Windows\SysWOW64\CcIk.exe

MD5 611be7943f5e6bd37b7dc48f44698a53
SHA1 91067a9d673b9c9f1aa7ddf3da52671992f6f966
SHA256 5e862b37a4df5963f536e3eca7eb47ffa9fee51e11b71e78c8d693acba753067
SHA512 6c1fce36928ce26497f35d1bef3ffb5a69a713b32cbca8128613fb1bbd79237a223ce4561c85d97038db12b8517bb5ebfd632fa1da0f061b84f6769e720ab259

C:\Windows\SysWOW64\swUC.exe

MD5 98a1e2c3929b8104f8e1c90d02ed14c3
SHA1 174973d8a83a9cd3c6c21c9fe09b4a30a45ea553
SHA256 e956309be3d20ea6ab4f07afd7ce00fca7408ec70b294b7ed585d775e3fddc35
SHA512 c2037b291706189423f8f6e1cbe3c8ca3992059a7fd8697e4a1e42d5b59bb947deb3599992f75ce050129bd58b3b643288ab495f80b8b2b5de0d2053a5a4b721

C:\Windows\SysWOW64\KAQY.exe

MD5 770867d583454c7ef622d30923db340b
SHA1 0ea6dd5b7353629668ca85875a39ec5b37a2eac4
SHA256 314d124de12e33f1bfb7320b2dbd13ef9067490ec7e828a9131738ebd3a412d3
SHA512 b3f44b0248e6305e1f6b40f4a2908b9461472894f6f7a43a1765534efc72b26140c566dd0931f2e647b2e3a466ee9514f35505f0d8d13034430f65adddd688ba

C:\Windows\SysWOW64\wgky.exe

MD5 7f29f60d319007e8ab67f096442b22ec
SHA1 0a6d035eb8b151ed0c6c6ada3c8634cf6d34cd8a
SHA256 4a3d0a3a45559b020346b39c7729b57e8fc05cb636ae4bed67668fa617ad1b12
SHA512 1e1927f2fb31729e432e7792863e6572c69130271ab3f31ca180d5d1f13ae35afa15172033087deb830373348427194a266ad5e1b295c3dedd6a3a6e012f5aeb

C:\Windows\SysWOW64\oQcA.exe

MD5 3343f6625c7b86f8ab5cae19431de952
SHA1 7981f7498423dd15595fa36a89b5fcb85e096d95
SHA256 82f330fb12f6d273fd300a5a03e0f4ad52bd825454de7650f49fbe90a9555077
SHA512 cba72cf9ecd5525880a8c3de7b1e1b9f3647287abd7eeda210e585d700b752a0b66e345d91234f7ea8663b29e403da5685b18bf6a2e0bd22529895ec76f6eccf

C:\Windows\SysWOW64\YcIm.exe

MD5 15a98edc649e52bca056eb9c9853facb
SHA1 9372e7fb5211848f5d8c570fdad952c5147a94c0
SHA256 bfa574b9eddc6f71e75cdb74691c40ae4628808c66a1f3956a19f28ba10c537f
SHA512 15403502e5853d1ba772942000ff278004e5eb57d0bd3265225fa29ebdea8f409de82ffbec5c5bafba003e80532a700e640e44e11faebc3cc7967712a3093023

C:\Windows\SysWOW64\OUQs.exe

MD5 9cddd1136396531b8302865d2d7a308e
SHA1 8cfbf2f4ae5a7bf4d78c3f4a26f7f7d9b00a9f92
SHA256 0495b691056dd7a05db8322a506b183f3357edff779e8dd0aeaf08b5a4be6f2b
SHA512 746d32f05e60152da2a3009c3ebdbc49e6ace96212158e644f614ab3d5bb97397a515c5d9f6c787b296a430c03133d7f6c49a9b7ae8a4767ee8ea3d7c1ad4aaf

C:\Windows\SysWOW64\uYIE.exe

MD5 1519b87dc9dfa1ae33162969ef0f799e
SHA1 3a9dfa7a63b0c6e5ea36b2eb74d419bd1bb36572
SHA256 8b132b6bdbecc7441c9d53c3725bc39113c809beb6fb21b81e86052d69ddee8b
SHA512 1c6c44e70e7ca748122f3ddee2b0dc3073e52b8b868f27ed922a14864116cd893a1a4e5b0ff29a773f89ebe2982a5f43498878f4ca5eded33b2aa133512c6920

C:\Windows\SysWOW64\AMky.exe

MD5 e95054558004f9f423756c753ac1350b
SHA1 9d012659b304ba68d047dabe290eab46136ad606
SHA256 57f27b8dc5939e9aac905907c9633b9c7273ed51bc99cb70dba22b38203523ef
SHA512 90a2ea68a6ebced0cb0d8216b86e3f8bfa1e6c83a13ff8e8fedb73ff71ba5ed015e5b34677342a0a0b9e1bfe9ef1e83fe1bcd31915ca457fb3f3abd3ad8f0ceb

C:\Windows\SysWOW64\CsAO.exe

MD5 136d5ac6843b8e278d40d7ca71793fd8
SHA1 23dae79362f35a0409d0cccc23dd524370b7361e
SHA256 009a9ab1a243fb288661429cb2895d3676b895ceb30ee6b4a95b30cb0ade6265
SHA512 56f450d182429879e118a0f5cc442db3bfbae3555289d62e36dd3efa5db843ca54b0fddb5c52dd9680b380d82850e02f4eb60d4f5fdb37112c38a3a8f5d30a3f

C:\Windows\SysWOW64\kwkw.exe

MD5 70bcf7da9d404cfef39c1007f8e186c8
SHA1 c41029929e81531cb98dc052ba21d0ec4b6db16f
SHA256 1009ff667f65661cdc8a6ebab55ab22962d8d1024065b36c89ecc24d58f4809c
SHA512 e3ee1d55dd9441b6767f4253f16e64551ae4caddc41b1d1bf2e460d3971e778a1d10ae2616149cd0f451ffa5b9e7dcdcabb9f3a470ddbcaf64ad1c20d9b7afe1

C:\Windows\SysWOW64\eIUU.exe

MD5 c5d201eccd131ac904e28573743d71ec
SHA1 a0cf141432a2cf5045b206d1094c44cbf84fa033
SHA256 53282a4c297a071457a7b31477f02c2092212d5d57e882dd16be8983f8b78fc3
SHA512 609675c9bf05e2c1373fa146004b49e58e105279362034633116e875d8400c7b79ef1cba5fd31a30f27443c99e0b7177d9029f969c56e87dfd1c1a28f79adf42

C:\Windows\SysWOW64\Cssc.exe

MD5 93a15fe58fa34e1bba41c81e3eca29c6
SHA1 86f6f16987b64b25e17d40308958b77e82a838a2
SHA256 6b78b57fe515e0fa521e91b09bcd857bbf2512616050d9ef972876d3c6152e9c
SHA512 141257e8f26507499cc0a63b07a205189ea37f3f1b0f19778f6eb487c7e6a573502340c321a96b12d4ccba01fe1872e79a8a27e89e9b1f4b0508450bb76d8ce8

C:\Windows\SysWOW64\eUgi.exe

MD5 fe452674f38caa33311ab7c1259c02a3
SHA1 aa9a9d9396a7f9852dd552030e7885a765315a62
SHA256 f7e56cb2b2c579bd36fa6ddd8caa20fa6b5861049de25b8af2dea5f6bfe98c31
SHA512 520f7f5bb424cbb1a492eb1fd3f25bbb7a950751fc4081242980b4eb9a99a93669a06b11335cd691636569e1dccc517576d330808f00f3466b92b99e82cc764d

C:\Windows\SysWOW64\OUso.exe

MD5 89e425329138389b0d8d7937c9ae1b54
SHA1 99e73e0520fbaf05bdaaeba2fa9ce268243d8330
SHA256 8c4390405542947e6893e66c8d9832c8929bf0759decf6112b77bc979711c9b6
SHA512 38681a9227d71e2f6ceb60a227ba1e86361e6bcc88ba88133f036f708c5c89cfed1f5e3368015458df91d66b70006f5b8565cb4d7a6f5be52ee7be7f5f895141

C:\Windows\SysWOW64\yocS.exe

MD5 b6542a8659727b609121d4daec739333
SHA1 5648d92fbc46d65a2b9eba738d70f7b068e0fd87
SHA256 29dbaf02245e7cb2e5b7bf0f2c4261bc6a647373ff37134ca4701b6ebc398a9e
SHA512 6f3d3b56037c06c78dfd2cb93fb4e1b8adffa6db442189ec265946f14fd44bbb490d9b933c34a11f1f7bcc758298e31b6029800287439a9dc3f01c11a714c021

C:\Windows\SysWOW64\uwoS.exe

MD5 30b25f30f5bc754c53ba37a950d393fb
SHA1 c08934a0838728c0f5c829cc0c472f85b6048536
SHA256 4c934704803bca01d2a807b728838148dcc5b31d3901110b24a213be5e4a1aaa
SHA512 04f773ecf79d2de4aa4af59ef581f98b4164c48be2fbc3a348f17f31d1951376f46847734426f2a3bbe95b2b2a36106551f75eac3cfbead36c3dc26f0dda91ef

C:\Windows\SysWOW64\AsUY.exe

MD5 c3c345ae1dac680dc1539ae9f0326e68
SHA1 8a6ac3fc5e20d1353695da51936cba83a3ef7d1e
SHA256 2261d19fb5edc8f3c0f1719a94a29a4584f885892b143a4537af340c0c58da8e
SHA512 7cd242d0d122252f9286309cdbb3922d344bc60e32e40d9742e4ef8c0faae76e1579fac22d721778f544d126cb920f1da9b18d41dcb7cdbfd89dc609b47b543e

C:\Windows\SysWOW64\QUgO.exe

MD5 7db172cb1013161a215aa349077c79cb
SHA1 85abee7cae77d7fee8105d523cad11e2dd7aba4d
SHA256 ce19ba9dcbb94a410d91afef324f7c46cddeae6e04569499601fef20dd1e4ab8
SHA512 05b507f7b5d48baa65c091036b2309a491ac58746210ecc50e07116866ee5dbd52cc475faf5532e96f9f1f5f5a3b7b6d8de0e1aef4cf5ffafbc195de50469053

C:\Windows\SysWOW64\YEsE.exe

MD5 e04f6b6c7fec5f536d6c2bdf1d44c0ee
SHA1 758bb97076ac89b21cd24624a6ea912eb2903263
SHA256 9025e3bb11a472ff78646e1fcb8df6a0bdabb95008f10e1b88dd846d8e335c91
SHA512 687554ad7218d7f3373ac30bfdc28774829483e96fcbea6f96e04cc55bc64ad7ca4eaf2f24997bd2aaded5c262a762c27a889503b95cf3ea9ba088537ad33221

C:\Windows\SysWOW64\OUQo.exe

MD5 fb54e939b386e9fcce13cefc60258750
SHA1 e65df25f10eb083e16b24d00b4d01a6f12f7d017
SHA256 c2312204a49dbe2d562afb5016bfdf6a1a8bc18fc4785e2613e739c4bc062ba5
SHA512 44753f54d9f397b5ba1f73503ad6e3080581457e4924f36f19eb17f887f2a29e79175449e87107a7eee251ec118b1618279575d1c4fdd0a428e1f211e9e07d8d

C:\Windows\SysWOW64\sMMO.exe

MD5 1425485136bcc08d071392c8755741bb
SHA1 f3ce09069ab9986ae317e0ac49a90b1078e23c49
SHA256 66d9f88ce8a380be5baacd52d6f34c9499fd57a80c1e52f41a0327fa5eb2308d
SHA512 3724b0aec0a26eb1ef9c93e3018669e48a92f15417de411a49ec3097a441094f1724401b62fa058ebf68e8cfc9fac25812cbd66a71ca37f81630e190764a394c

C:\Windows\SysWOW64\IOss.ico

MD5 34460862c89281546603585eba87f992
SHA1 c00e6558b839be12b54316e87116042454cccbd2
SHA256 bcb253ea3735a0cf0a8c6ee06c14c884937c64ddeacedb17240e40d403577620
SHA512 b21fbe3ba5b0a15dfe6d5797dd72fdfed7798748b1acc8846251ff1f58e164380a0bb2ff40a110f2b86fc6ba76abbb8cbe7a148eff697ef39a5dc4d1448bfe67

C:\Windows\SysWOW64\KQAa.exe

MD5 4e108431abb652aac7e808b4949cc055
SHA1 5626cc18685e80e6695461418663363ace4da256
SHA256 f6cb867755b3c9a4e2cb8bf3f0c769136c4fdd078703c0598fddeba7bcfdbe1b
SHA512 141b421110daebc15aafce584aa85095ca1657d99bc0fa6bbf1e2a359dcbc9794ec84838d7967eff3d869d853e0056463a19433209e61faeb62db7685426f4b4

C:\Windows\SysWOW64\MMYq.exe

MD5 fdec036cfe26f2e1d413e251994c78c2
SHA1 21e19e9858635a423e54fcb2e695b694508074f8
SHA256 aca4d5e41d618472c1df0e36151a0cfff14273da65ab13a785bb322c6621cf47
SHA512 9d8718aee95bc4ea063ead480095bf6f199668ead2250df4a9e47fa6a95b8c8b87618fd4f16601b5560600d368430a149b4506d725633b9b4e4b96173542e11a

C:\Windows\SysWOW64\wAYo.exe

MD5 7324274e1509375aaf75a22ec3193d1f
SHA1 13e0235d5904773a75ec539689becf73e3d7f875
SHA256 12c665ed0c9634d5ff27e80f092fabe1ba5ae29ca752be71ea1a8f5422a9afb3
SHA512 4bc6c2f57a5b8972b7a56da7b2613b9a2b0d687ac767d91e989eafce333bd63da55107d53e1da3c8304ad7c14f02185aab542d376d28688b41d946d30c53dd6a

C:\Windows\SysWOW64\IMUm.exe

MD5 17b958db7b09abed16d223a5736e2111
SHA1 19a74226a09ac65e3c4926579012cf1a526204e9
SHA256 132b5b059c2437cdb53a1c186632aaeb0a1fcdf6fa88e2d7f12cfc6ce3448898
SHA512 a53f57a2857126613a9cd9f80394af0d452fef2258b83fe48e594df8697d37589b6873881f1a93a0619df82aacf16d75a5125d82a938a6b1198b0f3455bffe2f

C:\Users\Admin\AppData\Local\Temp\2025-05-18_5d23cafe322408b29e561b3c380398c4_elex_virlock

MD5 ee81fb914f0cfe46be77fe93cee88cb6
SHA1 78eb805f5ff25b9f9c640a65200197364cc28a9a
SHA256 bfbf07fd3d6121421cd97fa790b921fbef53a9d8a9b0bb4e6b7be5fd9e731d68
SHA512 69a08fa531d4b16ee0899b30577e1af772bd0d81baa3d3cababa58440c7fc63be24f65b28e4c67be5769bf329f5f202e36796c22b4129130d07ad977b222ef0b

C:\Windows\SysWOW64\GAII.exe

MD5 5ffb198d090cf4cd3085f294e50b8477
SHA1 260d3fa48d371a41e2e3fb1bce23b00ee55b4492
SHA256 cc337334c928938979ce9c1ce11a5c022724c93029bceccc5a6b64f2e8488700
SHA512 7139db57aa595060320ad68ce3c59b48c0b972a19a2bb1c18575dcdc369eb9be215bbdcbe467be329dfe21a6138fd059f7585ff6b782e6d15484dba4e9567e74

memory/2736-1261-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Windows\SysWOW64\MsMW.exe

MD5 e7702572596969aeff54df7683670fba
SHA1 dbdee1aae552574920f9869b9d5069357209cafe
SHA256 68dbe2c8fbd0f0b23bfa3a92e4cb268d9ff3e935d8f6da513d220577b700e727
SHA512 d8e6f2d48996358d117f2f1aa124873516008852db320534c2a92438ff8dc3c5361b029af3ca6b90c183cfbde30fd9caccbc542cad14c71dd832de55243df2c0

C:\Windows\SysWOW64\qYsm.exe

MD5 a442e5c4d35650541be80343df5385f6
SHA1 696b631d4fe9e02bf35d1430d2369d03d3709974
SHA256 5d89bc97ce8a08364f46c36fe922510e6d97159b2350fda21f4d53523d1a74be
SHA512 939757bac5dddd102149f73bfc8f46bacb4ed2e5be43a7d4d70f479579c8ad180071fa4c5c7457fde1f0b88c66fb3e756ac7186b943497c96c8bd2cda7c2da65

C:\Windows\SysWOW64\SEQO.exe

MD5 05a4a4a615add49d04459bc3fe20e9e0
SHA1 02e610c7fb6cddab80230ed046d38b114b465a02
SHA256 afa12ea61d09493172ef8138b1bf7449547151d0190a92c922be9cb1cb9637d1
SHA512 c15afa4b9ec89f6722f08dd82e32862d8faaa6cfb31c43026fee7cc1029c29b6770e83dff5992fb16d49f80064064d2b30cf18eb88facf0b8b92a2e53e990868

C:\Windows\SysWOW64\YCAA.ico

MD5 f7858e48b74b107ab160878eb400128e
SHA1 d8cdd8be514077e101a9f0a0fdbcdefaea6aa72f
SHA256 2dd714e9df3921b1194d3d890f6509ca5ee753d81f9fd83dbeec831440d22938
SHA512 c2e950c96da0c901c550dddf953dee3eecbf9a1cb509100c93bb034351369e1547bf5b97d4aad78e2bdd516a09ea28e999e597fb0a91fb350da7b7d3ec08e9d7

C:\Windows\SysWOW64\uYcO.exe

MD5 13681374e765684ec37824e66e156d8e
SHA1 9a95861e62c0f24ad905350a227388673d554be3
SHA256 139f1192ae00889d33bc7cbbd36d2a87b21e3ea42a476f7e86b8915db1dc211d
SHA512 db05c8b6307ba8c3e6d170662d336f9db9430536fcaf07eb1279ea8a5fedbe9b4772e8c6612c0e215ace868221259af8b363315d69845cee7ebc77b7805cb593

C:\Windows\SysWOW64\AcQW.exe

MD5 c4faac476cf9b3d2851ee69dabe32d7d
SHA1 bd3b099c807751915fa62aaf4bce6b9916677ace
SHA256 748e4a72f9c25d74efb1d5130d112d812ccef375439b446e7840880e151d365b
SHA512 5bcc19d478702e29846aa78269de345c6de7425577ae412f9a4599b1b9935fbdeeaf9be1d16bd1f38cedf002bfe74eb26ffdeb92d5c86bddae371e1d6205b4fe

C:\Windows\SysWOW64\KiEY.ico

MD5 03c62b34b94a861c4f99017a91bc749e
SHA1 2ca36583370792d9d56be7e5db98417188adf5a6
SHA256 6b1018b4e474afacb1c54331284d85fdbc2bb5e945466dcbda91231feeac5fd4
SHA512 4260811ca36c05c15db789932b24767db68b0dfa1a0590e8d4f69328e208c38693e978d892e0d229756a8ab9092265e19b0a0da132f0542f8460be54ba6371f3

C:\Windows\SysWOW64\IIIE.exe

MD5 dce6f75c57521ecf50cefadbe6789fe3
SHA1 a811b7242803638fb67f5427e00761b50e4854a7
SHA256 eddf4b33db951edaae3c4b71d745246523000146ba6b0ce2ec1a8f042128e050
SHA512 2b29dc601313e3d5142c0e0408b65b408d3f5d0d3f9ab314a5573e364189cec9964d8d0771858711b33ae09c8dfc24d9a77344555d2b954279fc5bdff639c39a

C:\Windows\SysWOW64\kocQ.exe

MD5 92cace2e0fdc432d85d0f9fe5399aa1f
SHA1 4e8a121028b3dd5ae1b0334b7b41f2bb8d3a2051
SHA256 2df08f5cdc9ba72391d4c7019803c059e44340c38063bdd1f2d721429e9036d0
SHA512 8dab4d614e18ec71a50a9aabcf638c1258ac958f2c19aaee447ecf9de98f757e64a3c65e71a01cc40c240a607967e996c0313584ff46b500033a676b9f5ccb36

C:\Windows\SysWOW64\iMIe.exe

MD5 407ab5ca12bf356d9228ceb97ba5e52d
SHA1 cea7b6b86a86c342a79f4490e378d39877f8f84f
SHA256 28d66b826c9eb908111f77c646f3abd48979f210763cb28e3017f9d925734c09
SHA512 0d7592f0f19bcfd8ccbc930da656d70d9f2063be1a03592ab8f3f1bf5081e8207fdd1a5cee4f00cef63ce792913cca3f5e2bb9c303c575b7a1736c6cdc8e14b8

C:\Windows\SysWOW64\mcYU.exe

MD5 8aeda66fd2168cd3e49fa4e7e92f16ca
SHA1 fab3c16ab328327140c76c9ada97b6d624bdfb39
SHA256 8bbf0f52827c3caf7139528bdb39a024f3c3105b64dba8308e208355154ee77d
SHA512 b53f086d1619c17a804e679ca26884b274bc9bf084b18974fd74332ef59813858c83b51bd897774db453d161cb434a60d779cbb1cfd7b18dc22110488af1c496

C:\Windows\SysWOW64\YwYm.exe

MD5 4137e416e5e20ccb82eac3e696d5a15d
SHA1 5adb85ad5e2965cc6fdb5f8b726368aee6daf54c
SHA256 52ea58aa01d3f65245f412832d14aead36330a31d0d23f165c6e6f16872b3163
SHA512 4cdc37638fc2c9854521437a18b533ab2ff032e27ec43ba84b264bfa978064e589167a0a8c57b5cda95b945954138a76c7eea43637a44213a911e355533529de

C:\Windows\SysWOW64\AMsw.exe

MD5 15f709c3db2191779b246853ec575535
SHA1 f5ac0a3a54e5faabd52d747515f31a0d9b8c4e82
SHA256 75984cc136265100659a2fb92fc3cfee67840cf19847bd85d2d0be33f37bb94d
SHA512 e6b52917895ebac8debfdc4bb1443239b207f45bbae4be75d2394d94c6a90941317f673d44b9d630f71573cbc950e97f61c7c8d6f05e3bf6eb451ddcd173e8f8

C:\Windows\SysWOW64\cYAM.exe

MD5 025274a57bb8b1d86e3eacd546fcf0fc
SHA1 fcc67e0aa3e736a00429f6c29e52a0a54017f80f
SHA256 cf5ddb1f807a298e1ef1cb67ae2e8622b462721604d27ea3d7af6412de102318
SHA512 bb86cef30038013e51235a09ce139045235951ae13d34f3acb6b6a3eadcf4cb8d74883393b974306042f4be7d91e80b775c37374a92bd5301da7e4f3906c49c7

C:\Windows\SysWOW64\Wwsy.exe

MD5 41c6cf606d438f93f5b13a4e63b6d215
SHA1 d3411c4229f46c7c933c854b189030015d2dd251
SHA256 cd53f1827bc93054061c8b81caeebe9e5b48b96120b6aafff36769090abd96ca
SHA512 3ac160b46a21c8b83e1879549f3e3c20df294fc77fa54760fbd77e8aebf4b7d611c1f46253fb56b2c461a02a8de351102431d3e5d1997964f5409dfc941af27d

C:\Windows\SysWOW64\Ekoo.ico

MD5 383646cca62e4fe9e6ab638e6dea9b9e
SHA1 b91b3cbb9bcf486bb7dc28dc89301464659bb95b
SHA256 9a233711400b52fc399d16bb7e3937772c44d7841a24a685467e19dfa57769d5
SHA512 03b41da2751fdefdf8eaced0bbb752b320ecbc5a6dbf69b9429f92031459390fe6d6dc4665eebe3ee36f9c448a4f582ac488571a21acc6bba82436d292f36ac5

C:\Windows\SysWOW64\kAky.exe

MD5 0a199117276ccbb9c33d8c9aeef79049
SHA1 a0065809fb3b5a41a602d138bdccf55998a172a8
SHA256 706ad3f3b2e1b78514942a4299e15495d2e6dd76ecccffba5c9bd232ba9a9e0f
SHA512 1a3b399569cc33b95e779f339f57fbe3e387890d8a7bd5f98d7e05da810d946d64cd728592e745cddabf0338cec49d67a42b2fc0ccf5dd932415cb42b63259dc

C:\Windows\SysWOW64\cswE.exe

MD5 4dd202d2e5b6f4cea52e9b42ce1ab213
SHA1 2da199419fd636f94a278cfa34bfd331c89bdfc9
SHA256 f77cb3ba02d1c15110c146dc0291cd3c02f11913ef730b759ec6145e7f9d0573
SHA512 967fab7f21a21fe8d98034200ee4eeba3044bc6085f0a611fe2e547cea4af5e12f4095d4393608181b30cb076a5ec8f35240f265fd1601c649934ce282cd8c21

memory/4832-1494-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Windows\SysWOW64\gcYi.exe

MD5 c0989933a3b821d7225beda54e166b3b
SHA1 9186b354cdebde23f86b8a2c6d0e08f90caa0ef2
SHA256 8f52cfff134308058d65335b43f420d6275fa9092b33f0839687cfaa96bc61d8
SHA512 eaec234d9db623878695e985fb119bf9ae3d48cd506d7f5ef26cb08e9ebd03b941dbcf3fe8feac624dc6390b833934f88e742ab4223aac562b0f20e508904cd0

C:\Windows\SysWOW64\ggMC.exe

MD5 2e0dd0f767b16f4f51702de06a5f2b9a
SHA1 f77603cd709c115b304619c55e85fb7497e80bf1
SHA256 bb4594f6b80a649244023e95deecbdbcd26e39f022d0443b60f8c2ba4aa9c9a4
SHA512 3ab1787b17ec8a7e56add1e31cafec640f0e02a178aa71c9c2e337ec1349d8893f237231b406c594ce0108744994a8c38455fa0e06dddce5b28afabbdf870ea0

C:\Windows\SysWOW64\SgEQ.exe

MD5 01b1bf05005eadc057f1a0d8732b25cc
SHA1 3c21ffff465aa80113822225781ac96e8008baf1
SHA256 da8ee9fc8e786484325f8efcef5e452e6b14d530ec943240fdc4182a2958a633
SHA512 a37d3f0641f3f3c3e8436e2d0536595a5e07c8447eb3db0919ff58ca8f018cbce171c5394defe3a1a707a1f699ee2d890368cdbaa05b77385f01f4ec3355f000

C:\Windows\SysWOW64\UgYy.exe

MD5 5ba1d35af007fd3a602c133e325ef549
SHA1 cb3acbfd90ecb7f7dfdd326b5770ab700b09f43e
SHA256 20a8c3aea196fc7d4daa9168cd3e52cd994bcb6b89490c8b2a2ddb2062a4a3a5
SHA512 464137d531c3c89090587e37be97ee4413a7333d9219dad6a184e3208a8c020e7f346b073a0d9718c5c6547d5905f9326a05f9673ae421c68fe97327819daf4c

C:\Windows\SysWOW64\UQQQ.exe

MD5 6cead442539b6a7d81928c06e74af07f
SHA1 aceb3dea8784e1b9150e9ed3785a813127e44fb2
SHA256 ed443821dc13e473a53a71a732c238a4178ade83c3d9ee7f6a9fede41392569a
SHA512 5bc82db181f16c2e608d7ffaf889f9b66fc30537d6dac2cd4aee8f7d5837e16846eb89440de70141b860d06ba39a3f512a2da3ba050127bbb41e14b396cdcbac

C:\Windows\SysWOW64\swMs.exe

MD5 5b37bdfdd62c2ac95a1024f2dcf8cabe
SHA1 6c1e026c26aaad9d573baa811aba19634a51d4e1
SHA256 6cbcb8ba399cbc148733b8e9250e27df083ead8c5029c9243c8cb57befa2e00e
SHA512 3b5344a46234389d11e526602048033971d3c93d7a8e696acbe8b70a370c478f394f33194ab04f27c36023512523c3f80ac5f1c38fb48f1f6959acb6eb19eb4b

C:\Windows\SysWOW64\qksg.exe

MD5 e30b32a1dad76a25c814f67f94e0d9ce
SHA1 ba7a13d05f6db2a3872844e39942306106518e11
SHA256 5cb2fa9b2aecec8cc892cd64d205a2337fc621821ea9073bcc20f50a9b722c14
SHA512 df313e3782a716afe0517b851c998908929d98d885665de48a3fc97aa68c58545c39c14fbf35862dc097c01358aff2dcd3e8285fa56b11c632fb70851e997fc8

C:\Windows\SysWOW64\UEIA.exe

MD5 318dd050d5adc1d17832fae935876241
SHA1 56d8eaca23add71bf78cb720b740229ae39eede9
SHA256 8515729cb425dbd2fa08d43172dae979e638a2c8fae21d7b040c96ec46f68b9b
SHA512 f816ea86d58e286b835e0136c258d98364da74acd4ff885a509a522f3b3554eb62828bf829bee705e64e38e96082c648b413ab9ac16f0915adf1cb8eb47963e3

C:\Windows\SysWOW64\eEUw.exe

MD5 11b924bbd12397f524d9ba17c1b1676a
SHA1 0a92c4510ea1dc8e3fb9690a3b62d27ff5ff64dc
SHA256 def7ca7adc4002ec0d806ffd5d2e36ed85acf5ff01f03c9a8d1b6fb2dcf2873d
SHA512 c2fe270be477069b4f36d7371a94292b9b1340fe350ebf35f690a168fef1bb945f625cc3ff4e4d419bd35a51d6fd52fceaf058c0e2e086bb13cb76e39fbfd315

C:\Windows\SysWOW64\mQQG.exe

MD5 08f97b6e94036f3e00a1a6a72f8fa2f6
SHA1 1b8a6f61f3963902c04bbe5b0b70b40542acc62a
SHA256 41c691d868fcb50f21acdd0416069df7e558f34f2c91e7dcff97572270820d17
SHA512 4114707c5e0a6e0388741979587a9777eaa332db934b33e01b967e41c456bdd508a2ecc0fb70b517fedfdc507e4cf976ba9add891478f6cc750f14f1104b7589

C:\Windows\SysWOW64\uYwo.exe

MD5 cc11915149cb6debf2aabfb9dfbc34ac
SHA1 19c15c1ef493c74ea843160e4ed8f6235bbb5ca2
SHA256 0c21046c1f803583e76a4f9fa4bfdc3f2bc250c27b426f2f57435d7f40a40c26
SHA512 754d4ca71dfa4b41845d8706811ab59b10518bf865ec47d484661b8762f4436fe4449a700d100ddd0a9cf6cda52169766185e3b10ec4898d2bc731cbf84445ed

C:\Windows\SysWOW64\UsMm.exe

MD5 76b9650d1590027655135c544a9d4f2f
SHA1 d5529d0e77827d8ee8ee495b8daa1c6c245646c4
SHA256 9464ebeb20f4d3f61db2ed35c3bf0e646ffd51cd4cac1b20b35eaafe90c6135a
SHA512 4804249c786f8881c4a358b1c1e36471917d3d056c7b451c4a9a4b24b965c1d8e38fd65f44b0aa1e61d1b4dc9a990d3934eb7614b3eee77d1f879eb98e007e53

C:\Windows\SysWOW64\CcwA.exe

MD5 df249dbaa91dec88b0aa375e29e70e54
SHA1 c5e013451974eaaa0284951d4d8ee0678195888a
SHA256 5dcf65b54cfe1138e5758f3c817b519eaa2e4940ff26565f091c8daf297b560a
SHA512 0ae3c125cd4a0f4d46f4be13cdb0be89438a62825f40e2ddfb7868bf6f1a19e1f97c74748cbb1b30c7dcba97976e758da4f4dbc64a2d913b6d4d8145ed5295e9

C:\Windows\SysWOW64\iYYK.exe

MD5 f9cebc0639af338fd24d113f5bd3ac8c
SHA1 fcb706d6f798f29f4e851dd071500fc3bda4de88
SHA256 79189e780bcf4bc1b65af9fb67dd76075b6e2110c46fde7cd6def62e8f7403c3
SHA512 57a171962a918b77a85ad0ef314a8142bd1ef0c6f1dadddb19bcf111a9d982feba085af86821b2cb50ba7293fbd1d15e822981d1c202ca57102a7ed887cef980

C:\Windows\SysWOW64\WMYk.exe

MD5 61835446cb81424c10fc166c6dc84487
SHA1 1465eddeff1f3f52c225e7841a1cf53e1560a569
SHA256 bcc4a23038afcd865e0d9416121e208a745448a9c7e384fab449f7375e80bbed
SHA512 9c56e03c70e8a1be26f8c4ca948dc2e666704d4b3bf106609b1bd98d2ddf0b520d522d53afdb3cbd04e916dc364253c4cdabc0a18c51087da2872d8e73f37ebb

C:\Windows\SysWOW64\OIsO.exe

MD5 f3d090ce5b757f272f4d6da8aab803c6
SHA1 af28201f08267285e410f016503a36d593264284
SHA256 3573c3009c90abcbe25664ad9b63b49689dce8eea6dac4509cf8cf6cb4521d02
SHA512 f806c8fdfd05e2f678d8b2e9c800545c1fe7f478ec539df2c13e423776df72f50ade8a94c017e0742a91325c42096059c73e939d64b0e4069b0d282de449a7ec

C:\Windows\SysWOW64\CsUa.exe

MD5 c6ff5c36bd4c2ef563cd01c16b151131
SHA1 73bdc8b97edbc6a3fc3a6e3a196102b7f8c793a8
SHA256 992ff01042e86bb3f4d3b9a57568a9e2df3ddf0b9f95f923ac3047ef7cdb3f4d
SHA512 6f452ea86d412d28c126445c0ed5f20afe687b09c297d7ceae7ca3c3aef7fec417eaba9195d130d555eacf460b54bf0e2505e5754af14cfebb24e0308360bb37

memory/1688-1796-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/576-1810-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/4456-1809-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/5392-1811-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/4032-1819-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/4172-1827-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/1712-1828-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/576-1836-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/5292-1845-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/4964-1849-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/4172-1850-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/3980-1851-0x0000000000400000-0x00000000004BB000-memory.dmp